×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FBI Failed To Break Encryption of Hard Drives

kdawson posted more than 3 years ago | from the deploy-the-quantum-computer dept.

Crime 486

benoliver writes to let us know that the FBI has failed to decrypt files of a Brazilian banker accused of financial crimes by Brazilian law enforcement, after a year of attempts. Five hard drives were seized by federal police at the apartment of banker Daniel Dantas, in Rio de Janeiro, during Operation Satyagraha in July 2008. (The link is to a Google translation of the original article in Portuguese.) The article in English mentions two encryption programs, one Truecrypt and the other unnamed. 256-bit AES was used, and apparently both the Brazilian police and the FBI tried dictionary attacks against it. No Brazilian law exists to force Dantas to produce the password(s).

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

486 comments

is waterboarding next to get the info? (4, Insightful)

Joe The Dragon (967727) | more than 3 years ago | (#32703674)

is waterboarding next to get the info?

Re:is waterboarding next to get the info? (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32703704)

Fuck no, you know the govt rats are in on this.

They're probably going to take him to a porno barbeque in Aspen and go SNOWboarding.

Re:is waterboarding next to get the info? (4, Insightful)

countertrolling (1585477) | more than 3 years ago | (#32703716)

That's not offtopic. If they want the info bad enough, that is what they will do. And nobody will be able to prove a damn thing.

Re:is waterboarding next to get the info? (5, Informative)

keeboo (724305) | more than 3 years ago | (#32704016)

That's not offtopic. If they want the info bad enough, that is what they will do. And nobody will be able to prove a damn thing.

In Brazil, proofs produced by illegal means cannot be used (Federal Constitution, Art. 5, Inc. LVI).

Also, commiting a crime in order to produce proofs is aggravated up to a 1/3 (Decree-Law 2.848, Art. 342, Par. 1).

Re:is waterboarding next to get the info? (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#32704042)

I'm guessing there's laws against it in the U.S. too, that didn't stop them. What makes you think they're beyond it in South America? The fact that you live there, perhaps? Quite narcissistic, but that seems to be the norm for Brazilians.

Re:is waterboarding next to get the info? (-1, Offtopic)

lawpoop (604919) | more than 3 years ago | (#32704162)

Not to nitpick, but in American English, it's called evidence. Thanks for your insightful comments, sorry to be pedantic!

Re:is waterboarding next to get the info? (1, Funny)

Dahamma (304068) | more than 3 years ago | (#32703972)

No, they just need to send it to Wikileaks and tell them it's a video of waterboarding.

Wrong dictionary. (5, Funny)

AnonymousClown (1788472) | more than 3 years ago | (#32703684)

...both the Brazilian police and the FBI tried dictionary attacks against it

They should have used a Portuguese dictionary not an English one! Geeze! Folks are soooooo US centric!

Re:Wrong dictionary. (5, Funny)

Anonymous Coward | more than 3 years ago | (#32703712)

Fifty bucks says the password is GOOOOOOOOOOOOOOOOOOOOOOOOAL!

Re:Wrong dictionary. (2, Funny)

NotQuiteReal (608241) | more than 3 years ago | (#32703998)

Fifty bucks says the password is GOOOOOOOOOOOOOOOOOOOOOOOOAL!

Good luck with that. Even though goals are few and far between, in a game, there is an infinite number of ways of saying it...

GOOOOOOOOOOOOOOOOOOOOOOOOAL!
GOOOOOOOOOOOOOOOOOOOOOOOOOAL!
GOOOOOOOOOOOOOOOOOOOOOOOOOOAL!
GOOOOOOOOOOOOOOOOOOOOOOOOOOOAL!
GOOOOOOOOOOOOOOOOOOOOOOOOOOOOAL!
etc.

Re:Wrong dictionary. (2, Insightful)

slimjim8094 (941042) | more than 3 years ago | (#32703824)

To be fair, the US FBI probably *should* be US-centric. We already have a whole group of people who do the same thing, but specifically *not* US-centric.

Re:Wrong dictionary. (4, Funny)

drinkypoo (153816) | more than 3 years ago | (#32703946)

...both the Brazilian police and the FBI tried dictionary attacks against it

They should have used a Portuguese dictionary not an English one! Geeze! Folks are soooooo US centric!

I suggest using the OED. Place the subject's testicles on top of volume one*...
* If using a single-volume edition, open to the end of letter 'M'. Fair results can be had with the use of electronic editions, but the technique is not recommended.

That's what they *want* you to believe (5, Informative)

Anonymous Coward | more than 3 years ago | (#32703686)

Just because you're paranoid does NOT mean that no one's out to get you.

And you KNOW the government is out to get you.

Wrong Agency (0, Troll)

b4upoo (166390) | more than 3 years ago | (#32703722)

The FBI has never been a leader in computer technology. Other agencies such as NSA can probably crack that encryption with ease if not instantaneously.
              I have often wondered if these encryption programs were not let lose by our government so that they would always be able to examine file contents.
              As far as I know only a program that uses a one time pad is truly secure and I feel that even that would be suspect unless one took the time to create his own pad.

Re:Wrong Agency (5, Informative)

DarkDespair5 (1179263) | more than 3 years ago | (#32703788)

No, AES has been independently vetted and attacked by multiple security organizations. The only flaws that have been discovered in the algorithm are minor and inconsequential. The NSA is a double-edged sword - they help with useful security tools such as SELinux as well as their traditional spook espionage. The NSA can't crack AES even with a supercomputer (right now, and only if the user has a decent password and/or 2-factor authentication).

Re:Wrong Agency (1)

GWRedDragon (1340961) | more than 3 years ago | (#32703920)

This is a locally encrypted file...they don't need to crack the AES key, they just need to brute force the password. Because it is highly unlikely that the password characters are uniformly distributed (more likely a few special characters only), a large distributed attack should be able to 'crack' it with much less difficulty than reversing the AES itself.

It is not crazy to think that the NSA could have this capability.

Re:Wrong Agency (3, Insightful)

gweihir (88907) | more than 3 years ago | (#32704066)

If the passphrase has more than 256 bits, brute-forcing it is less efficient by a fair margin, than direct guessing. On the practical side, passphrase guessing likely becomes very expensive for something like 50+ bits of entropy with a good key-setup. Keep in mind that the key-setup may make you work for, e.g., 1 sec of CPU time per guess. With 50 bits, that is (assuming an EC3 small unit for simplicity) around 25 Billion USD for the crack. For every 10 additional bits, add a factor of 1000. With this money, you can built special-purpose hardware, but incidentally, that is likely only going to be faster but not cheaper.

Re:Wrong Agency (3, Interesting)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#32704124)

If the key is also stored on the drive, protected only by a password, it isn't merely "not crazy to think that the NSA could have this capability" it is "crazy to think that random script-kiddies do not have this capability".

Most people pick lousy passwords. Brute-forcing them is restricted only by the speed of your hardware(and password-guessing is one of those conveniently parallel problems that scales with almost perfect linearity across however many nodes you want to throw at it).

Either this guy is way above average when it comes to picking good passwords, or the key was, in fact, stored separately and never located, or (tinfoil hat) they actually cracked his password three years ago, didn't find enough evidence to build a case, and would rather "admit defeat", and encourage other malefactors to trust in their encryption, than just admit that they don't have a case....

Re:Wrong Agency (1)

edman007 (1097925) | more than 3 years ago | (#32704158)

Depends on how the password was generated, assuming I restricted myself just to lower case letters, then every letter can encode ~4.7 bits of information, that means a 55 letter sentence is going to encode more information than a 256-bit AES key, an average sized sentence is going to be long enough to do that, and even taking into account the patterns in language that sentence can still theoretically encode more than the 256-bit keys.

And if your smart you don't use a password, you use just a random number stored in a file and encrypt that with a password but store it on a separate device, I think they would find it hard to say that destroying a key is destroying the evidence and they would have to prove you actually destroyed it.

Re:Wrong Agency (1)

russ1337 (938915) | more than 3 years ago | (#32703928)

That might be true of AES, but it also depends on the implementation of AES in the application where it is being used. As long as the implementation of AES isn't flawed in Truecrypt. The FBI / NSA also have the source code to look for potential weaknesses.

Perhaps if they don't find any weaknesses and find the implementation IS correct they will grant it FIPS compliance so my company can use it.....(and save us a fortune).

Weakest link? (4, Insightful)

Alwin Henseler (640539) | more than 3 years ago | (#32703952)

No, AES has been independently vetted and attacked by multiple security organizations. The only flaws that have been discovered in the algorithm are minor and inconsequential.

That only matters if the implementation used doesn't have any important flaws. And a password wasn't stored anywhere by accident or 'overlooked mechanism' (caches etc). And the chosen keylength was enough to make brute-force attack unfeasible. And nobody else has/leaks password.

They don't have to crack a tried & tested algorithm, they only have to find the weakest link. Surely there's many links, most of those weaker than the algorithm itself.

Re:Weakest link? (0)

Anonymous Coward | more than 3 years ago | (#32704038)

Good luck cracking my 60+ character passwords I use just with a brute force.

Re:Wrong Agency (0)

Anonymous Coward | more than 3 years ago | (#32704000)

The NSA can't crack AES even with a supercomputer (right now, and only if the user has a decent password and/or 2-factor authentication).

The problem is the "decent password" part. Technically you need a 32 byte password. And by "byte" I mean binary. That's about a 96 character text password... and it needs to be completely random

Pretty frickin hard to remember a completely random password that long.

Shorter passwords can be brute forced relatively quickly with common hardware.

Re:Wrong Agency (0)

Anonymous Coward | more than 3 years ago | (#32704056)

I'm confused by your statement. Wouldn't a 32 byte password be 32 characters?

Re:Wrong Agency (0)

Anonymous Coward | more than 3 years ago | (#32704084)

No - you can represent the entire set of characters on your keyboard with roughly 6 bits - not the 8 bits of a full byte.

Re:Wrong Agency (2, Insightful)

Anonymous Coward | more than 3 years ago | (#32703804)

*offers b4upoo a roll of tinfoil and a bag containing 26 scrabble tiles*

Re:Wrong Agency (5, Insightful)

Anonymous Coward | more than 3 years ago | (#32703828)

Other agencies such as NSA can probably crack that encryption with ease if not instantaneously

Stop believing in spy movies.

Re:Wrong Agency (1)

TubeSteak (669689) | more than 3 years ago | (#32703872)

Other agencies such as NSA can probably crack that encryption with ease if not instantaneously.

Anyone serious about their security will use long passwords.
Even with supercomputer time, you're never going to crack anything the length of "the quick brown fox jumps over the lazy dog" (43 characters)

Re:Wrong Agency (1)

morgan_greywolf (835522) | more than 3 years ago | (#32703986)

Not never. Given enough time and CPU cycles, anything stored locally can be cracked. It's just a matter of how long you want to wait.

Re:Wrong Agency (2, Funny)

amRadioHed (463061) | more than 3 years ago | (#32704004)

You never want to wait longer then the heat-death of the universe, and most of the time the length of a human life time is sufficient. Anything longer then that counts as never.

Re:Wrong Agency (1)

morgan_greywolf (835522) | more than 3 years ago | (#32704112)

Assuming AES has absolutely no exploitable flaw, the key has sufficient entropy, etc., you'd have to wait for the death-heat of the universe.

However, as I said, given enough time and CPU, anything stored locally is crackable. That's because there are no encryption methods with absolutely no exploitable flaws and password-based keys almost never have sufficient entropy.

Re:Wrong Agency (3, Insightful)

gweihir (88907) | more than 3 years ago | (#32704078)

Not never. Given enough time and CPU cycles, anything stored locally can be cracked. It's just a matter of how long you want to wait.

Wrong. There is a finite amount of matter and energy (and hence computing power) in the universe. With AES 256 these limits are already very close and possibly exceeded.

Re:Wrong Agency (1)

Ephemeriis (315124) | more than 3 years ago | (#32704108)

Not never. Given enough time and CPU cycles, anything stored locally can be cracked. It's just a matter of how long you want to wait.

Close enough to never that it really doesn't matter.

With modern technology the sun will have swallowed the Earth before you crack that disk.

But even if we see significant improvements in technology and we manage to crack the disk in just 50-100 years, that's probably effectively "never" as you'll likely be close enough to death not to really care too much about the incriminating evidence getting out.

Hell, even 10-20 years might as well be "never" if it exceeds the statute of limitations

Re:Wrong Agency (1)

betterunixthanunix (980855) | more than 3 years ago | (#32703874)

Other agencies such as NSA can probably crack that encryption with ease if not instantaneously.

Doubtful, we are not talking about a cipher that was created by some guy in his spare time -- this is a cipher that has been tested by numerous experts and cryptology researchers around the world. Unless the NSA has some secret way to break the code, which is possible but they probably would not want to let everyone know about over something like this, I doubt that they could crack it.

Re:Wrong Agency (0)

Anonymous Coward | more than 3 years ago | (#32703942)

Well, given that DARPA project to do a 1 exaflop computer, if NSA has anything comparable already, they could presumably factor a 1024 bit key in a matter of minutes, extrapolating from estimates for a personal computer with terabytes of disc and memory attacking a 1024 bit key

Re:Wrong Agency (2, Insightful)

marcansoft (727665) | more than 3 years ago | (#32703980)

Hard drive encryption has nothing to do with public-key encryption, much less public-key encryption using smallish keys (by today's standards, 1024 is practically insecure).

Symmentric encryption keysizes are not comparable to public key encryption keysizes. 128-bit AES keys are unbreakable today, and 256-bit keys are just healthy overkill.

Re:Wrong Agency (2, Insightful)

rolfwind (528248) | more than 3 years ago | (#32703904)

The FBI has never been a leader in computer technology. Other agencies such as NSA can probably crack that encryption with ease if not instantaneously. I have often wondered if these encryption programs were not let lose by our government so that they would always be able to examine file contents. As far as I know only a program that uses a one time pad is truly secure and I feel that even that would be suspect unless one took the time to create his own pad.

The government has a vested interest in appearing a lot more competent or advanced than they are. Then I look at the Gulf Oil Spill and know otherwise.

If the NSA could have unlocked it for them, I believe the FBI would have been there in a split second. They probably already asked.

Gotta ask, does AES have a backdoors that they can go "compell" an organization to give them the keys to it? Seems like shaky ground to secure data on, but the article mentions it.

This guy is not American (2, Interesting)

mangu (126918) | more than 3 years ago | (#32704054)

If the NSA could have unlocked it for them, I believe the FBI would have been there in a split second. They probably already asked.

It could even be that the NSA was asked first and failed, then they sent it to the FBI.

Daniel Dantas was involved in many shady operations, including one when the MCI company, which has used some funny accounting, [wikipedia.org] bought Brazilian Embratel [wikipedia.org] .

It was the Brazilian federal government which asked the US government for help in cracking that encryption. International cooperation among different countries law enforcement agencies often happens in crimes involving international money laundering, so probably the US state department went to some effort to fing which agency was the most likely to decrypt those disks.

Re:Wrong Agency (0)

Anonymous Coward | more than 3 years ago | (#32703936)

Yesterday, the FBI was found to be run by aliens, hiding major secrets that would make big oil obsolete, and capable of breaking every mathematical law in the know universe in under 7 micro-seconds. Today, however, the NSA scoffed at the capabilities of the FBI and said, "Oh really? That's sooooo 1990's. Have you seen our awesome zap gun that breaks all encryption instantaneously? You haven't? Pffff, all we got was a ton of porn on the computers we tested."

Re:Wrong Agency (2, Funny)

aristotle-dude (626586) | more than 3 years ago | (#32704028)

Actually, this would not be unprecedented. I have heard of stories where the FBI sent macs and linux machines to CSIS (Canada's spy agency) because the FBI guys only knew how to crack into windows machines.

Try someone else next time. (0)

Anonymous Coward | more than 3 years ago | (#32703724)

Give it to the NSA and wait five minutes.

The universe would suffer thermal death (1)

assemblerex (1275164) | more than 3 years ago | (#32703726)

before they break 256-bit aes. Even if computer power somehow went up magnitudes
the sun would go nova before they crack the encryption.

Re:The universe would suffer thermal death (1)

DarkDespair5 (1179263) | more than 3 years ago | (#32703766)

Right now, yes, but it is unwise to predict limits to technology.

Re:The universe would suffer thermal death (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#32703820)

Such as:

640k should be enough for anybody.
There exists a market for up to 5 computers worldwide.
2400 baud is the theoretical limit of phone line data transfer.

Re:The universe would suffer thermal death (1)

Seth024 (1241160) | more than 3 years ago | (#32703994)

Yes, but you can predict limits to the (currently accepted) laws of physics.

Ultimate Physical limits to computation, Seth Lloyd - Nature, vol 406, 31 august 2000 (hopefully not too outdated)

a quote from the article: "The ultimate laptop performs 5.4258 * 10^50 logical operations per second." (that's about 2^170)
You can definitely predict limits to computation. Even the most powerful machine would need a long time to go though all combinations of AES-256.

Re:The universe would suffer thermal death (1)

Noughmad (1044096) | more than 3 years ago | (#32704168)

I went and found your article. (BTW, is reading articles that are not TFA ok here, or is every article a taboo?)

Can't you always make more of them, or put more energy into one? What's our best estimate for the total energy of the universe?

Re:The universe would suffer thermal death (1, Informative)

Anonymous Coward | more than 3 years ago | (#32703838)

Stop citing things inaccurately enough to be a myth.

The universe would suffer heat death. Before someone cracked the encryption. Using brute force. Via exhaustive search of keyspace. Utilizing techniques currently understood by science and the present beliefs of the laws of thermodynamics. FULL STOP. Hi, Quantum Computing....you ready yet?

You'll note many other possibilities now exist--including algorithmic weaknesses, birthday attacks, and such. I use a *good* password for a few things. But even based off of standard ASCII (too american to remember unicode), and assuming a space of the full upper/lower alphas and numerics, plus {-_+= [] }

with NO reasonable assumptions about distribution and entropy--gives me an entropy of 4.24bits per character. In practice it's probably only about 3 for me instead of the standard assumed 2.8.

Well in excess of the average (written english) language. Utilizing a password of approximately 30 characters, that's ONLY 132 bits of entropy. Well shy of 256.

There's all types of cryptographic techniques to expand a password into a suitable key--but that's just scattering the space and diffusing the entropy around some. 128 is crackable using current technology.

Sure, I can get a key with 256 bits of entropy--but it'll either come from a passage I've memorized in a book (not a very good one), or get stored on physical media. Weakness.

Re:The universe would suffer thermal death (1)

moosehooey (953907) | more than 3 years ago | (#32703870)

Please cite your source about cracking 128-bit encryption, I don't think this is true.

Re:The universe would suffer thermal death (1)

swilver (617741) | more than 3 years ago | (#32703990)

Why so difficult? How about I just generate a random 256-bit number for the key? Good luck attacking that when there's no relation to it and the real world at all.

All it takes is say:

- combining parts of two commonly found files on the internet.
- fully random, stored on a different, harder to find encrypted volume, but accessible by a 2nd, easier to remember, key.
- for the truly paranoid, base64 encode a random 256-bit number and memorize the resulting 40 characters.

Or a sentence that is long enough to give 256-bit entropy (~60 characters should suffice). Get one from a book, or just make up your own damn sentence/lyric/poetry or number sequence. This is not weak, as it contains the full entropy required. One might argue that the attacked only has to try all possible poetry, spelling variations, possible number sequence that are possible, but I'm pretty sure those exceed the 256-bit space as well.

Re:The universe would suffer thermal death (1, Insightful)

Anonymous Coward | more than 3 years ago | (#32703992)

Your comparison to quantum computing is dead wrong. Quantum computers are not currently known to be useful for brute forcing any algorithm.

The only reason they are useful for breaking things like RSA, is that we have large number factoring algorithms that work on quantum computers (Shor's algorithm). RSA was known to be vulnerable to large number factoring from the moment it was designed. In fact, as a one way encryption function, that's part of it's design. We assume that problem to be "hard", but with large enough quantum computers we can make it "easy". Brute forcing RSA was never considered as factoring the modulus is already more than an order of magnitude easier.

AES does not rely on a one way mathematical function for security, so talking about quantum computers breaking it is just silly. Weaknesses in the algorithm itself are the biggest threat to it. Your points about entropy per character are also rather silly as that's an implementation issue and has nothing to do with the AES algorithm. Also for the record, the character set of all keyboard enterable keys is about 6.6 bits of entropy with a random distribution. No idea where you got 4.24 bits from, but even random lowercase letters alone have more entropy per character than that.

assemblerex's point remains valid. Until computers are build from something other than matter, or occupy something other than space, it is unlikely that we will be "brute forcing" 256-bit keys.

Re:The universe would suffer thermal death (2, Informative)

simcop2387 (703011) | more than 3 years ago | (#32704022)

If we can crack 128 bit encryption then AES 256 should be easily breakable, http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html [schneier.com] there's several attacks on the flawed key schedule in that reduce the search space to something like 2^110.5 instead of the 256bits that AES 256 implies. (this means that AES 128 is actually more secure in this regard, at least as currently understood).

Re:The universe would suffer thermal death (1)

bieber (998013) | more than 3 years ago | (#32703958)

If they went at it by brute force, anyways. It may not be conceivable to either one of us, but there is always the possibility that they've discovered some mathematical technique that makes the decryption trivial, without having told the rest of the world. Very unlikely, of course, but not impossible...

Re:The universe would suffer thermal death (1)

Vellmont (569020) | more than 3 years ago | (#32704126)


before they break 256-bit aes. Even if computer power somehow went up magnitudes
the sun would go nova before they crack the encryption.

How about if a critical flaw is discovered in aes that produces an attack in 2^64 time?

How about if a critical flaw is is discovered in the implementation of aes that produces an attack in 2^32 time?

How about quantum computers advance to a usable level, and that 2^256 complexity is solvable in 256^6 time?

The first two are unlikely, since AES wasn't designed by fools, and has withstood much analysis. The 3rd possibility is the most intriguing.

The point being, the assumptions you're going on are that we know the same things we know now that we known is several years.

Right now we know computing power increases exponentially, so as you say that's out. But we also know that quantum computing is certainly possible, and has reportedly worked on very small scales. We also know that encryption algorithms and implementations of those algorithms sometimes fail catastrophically. The best we can say is that AES 256, with a good password can't be cracked with a conventional computer with our current level of knowledge about AES and its implementations.

Maybe it was just random data (2, Insightful)

petes_PoV (912422) | more than 3 years ago | (#32703734)

If I wanted to create a decoy I'd just dump some output from /dev/random onto a disk partition and let the government try decrypting that for a few years (so long as they don't hold me in jail in the meantime). It seems that no matter how much you protest that a block of 0's and 1's isn't an encrypted file, it's just random noise, the only way to prove it, one way or the other, is when / if someone actually cracks it.

Could take a while.

Re:Maybe it was just random data (4, Insightful)

swilver (617741) | more than 3 years ago | (#32703846)

How will you get out of jail though?

Give them the password? You can't since it is random data.

Tell them it was random data? Sure... we believe you! Now give us the password @#&*$!

This does show though that proving that something is not random data would be very important before they try waterboarding a password out of you :)

Re:Maybe it was just random data (4, Insightful)

Tumbleweed (3706) | more than 3 years ago | (#32703880)

How will you get out of jail though?
Give them the password? You can't since it is random data.
Tell them it was random data? Sure... we believe you! Now give us the password @#&*$!
This does show though that proving that something is not random data would be very important before they try waterboarding a password out of you

It depends on what your goal is. If your goal is to hide your secrets to stay out of jail, this may be a bad way to do it, especially if they torture you.

If your goal is, however, to keep your drug lord employer's secrets, otherwise they'll torture and kill your entire family, that's another thing entirely.

Re:Maybe it was just random data (3, Insightful)

petes_PoV (912422) | more than 3 years ago | (#32703926)

Yes. It does make the possession of random data illegal. Since "they" will assume it is encrypted, even though they can't prove it they will demand a password from you. Since you cannot comply you are deemed to have done something illegal. This is one of the few areas of law where you have to prove your innocence. And the only way to do that is to surrender a password (if there was, actually, one) which could just make you guilty of a different offence - depending on what it was you wanted to keep encrypted.

If there is ever a case along the lines of: "Well, m'lud the prosecution have not proved there are any encrypted files - it's just a block of encrypted data, so there is no case to answer" then I suggest we all follow it very closely.

Re:Maybe it was just random data (1)

SirRedTooth (1785808) | more than 3 years ago | (#32704032)

I dont understand why it would be illegal, so the offence is harbouring 'misleading evidence'? What would be the crime? (im not criticizing merely asking)

Re:Maybe it was just random data (1)

icebraining (1313345) | more than 3 years ago | (#32704150)

This is one of the few areas of law where you have to prove your innocence.

Which of course, should be completely invalid, because it goes against the right not to self incriminate, which is in the legal code of many countries, including Brasil.

They should publish it as a DVD (5, Funny)

kawabago (551139) | more than 3 years ago | (#32703746)

They should publish it as a DVD and within hours they'll be able to download the unencrypted file from a torrent! :o)

Re:They should publish it as a DVD (1)

hilather (1079603) | more than 3 years ago | (#32703882)

They should publish it as a DVD and within hours they'll be able to download the unencrypted file from a torrent! :o)

Brilliant! Crowd sourcing for the win.

Re:They should publish it as a DVD (0)

WindBourne (631190) | more than 3 years ago | (#32703924)

Actually, if they just put the start of of the drive on open source, I would not be surprised to see it cracked within 1-2 months.

Re:They should publish it as a DVD (0)

Anonymous Coward | more than 3 years ago | (#32704060)

distributed.net's brute force attack on 72bit RC5 should give you an idea of the scale of the problem:
"88,499,918,552,956,920 Keys were completed yesterday (0.001874% of the keyspace)(0.001891% of the remaining keyspace)
at a sustained rate of 1,024,304,612,881 Keys/sec."

"we'll hit 100% in 52,895 days at yesterday's rate"

They've been running for 7.5 years, and have checked 0.872% of the keyspace.

http://stats.distributed.net/projects.php?project_id=8

So where's the problem? (0)

Anonymous Coward | more than 3 years ago | (#32703748)

This guy was accused, not convicted. Why are they looking at his hard drive? Besides that, no law exists to force him to produce the password, but they want the password anyway? That's their problem! Why is there some outcry over the situation?

Re:So where's the problem? (3, Insightful)

hedwards (940851) | more than 3 years ago | (#32703844)

Presumably, they're looking for evidence, and based upon the effort they're going to, I suspect that they might not have a case without whatever is on the disks. Assuming that there's something on there that incriminates him. Which is why the 5th amendment protects the key.

He's a BANKER! (1)

mangu (126918) | more than 3 years ago | (#32703890)

It's customary in Slashdot to ask if we are for or against someone.

This guy is a banker who has been accused of several crimes, but convicted only once, of trying to bribe an officer, Brazilian federal police "delegado" (I think the closest English translation would be "sheriff") Protogenes Queiroz [wikipedia.org] .

Anyone can be accused of a crime and it's up to the state to prove him guilty beyond any reasonable doubt.

However, when a very rich banker is arrested and gets a writ of habeas corpus within fifteen minutes after his arrest from none other than the president of the country's supreme court... Personally, I don't think any reasonable doubt remains.

Re:He's a BANKER! (1, Insightful)

Anonymous Coward | more than 3 years ago | (#32704008)

Protogenes Queiroz is a jerk trying to make a name for himself in the Federal Police. He's a former Federal Police marshal due to it.

All he wants is to make a political career out of it. Dantas was one of the best in the field in Brazil but fucked himself up in a power struggle over the control of Brazil Telecom, a major Brazilian telecommunications carrier, with the Telemar, another carrier. Telemar has backing the Da Silva government for a long time and the government was just happy to allow Queiroz to make a mess out of the case.

Telemar invested USD 20 million in a company run by the Da Silva son. Also financed the movie Son of Brazil telling the story about the President life. If this isn't bribery, I don't know what is.

Any judgement in the Supreme Court is done by a random member of it, including the Court President. If you got any evidence the random choice as biased to make to the Court President you should call a newspaper because you got a major scandal.

Let Dantas free and put the mafia who runs the Brazilian government in jail.

Brazil is just a backwards banana republic. I'm longing to get a away out of this hellhole.

weird (3, Insightful)

roman_mir (125474) | more than 3 years ago | (#32703750)

I thought this [xkcd.com] was not just a sound idea but a law.

Great stuff though, but expect some new laws by government that make it illegal not to provide your password/keys to the government upon a court order and if you don't provide it, expect an assumption of guilt and some extra punishment. I am not saying it's right, just saying that's probably going to be one of the outcomes of this.

Of-course the problem is that they got the drives physically (not that I am necessarily on the side of a allegedly corrupt banker, but I am not automatically assuming he is guilty of anything either.) Here is a good application for the 'cloud' (yikes) - keep your encrypted data so that nobody can even know it exists in the first place.

Re:weird (1)

swilver (617741) | more than 3 years ago | (#32703912)

Sure, they can make a law to force people to give up their passwords... as long as they first prove that there actually WAS a password that would decrypt the data (and into what), as it might just be random garbage.

Re:weird (1, Interesting)

Anonymous Coward | more than 3 years ago | (#32704052)

Sure, they can make a law to force people to give up their passwords....

Only if they can make the sentence for breaking that law worse than the penalty for whatever crime the perpetrator is accused of.

Re:weird (1)

arglebargle99 (1689782) | more than 3 years ago | (#32704024)

A law to make me provide the password? --- "You know, I really would like to help you unlock those files, but I've completely forgotten the password. I'm pretty sure it was a full sentence from a book I read once, but I don't even remember the books name now."

Re:weird (0)

Anonymous Coward | more than 3 years ago | (#32704080)

Cloud computing is just putting your data on a server cluster maintained by someone else. And all servers in the cluster will contain a copy of your data. Given that authorities can "tap" your internet connection they'll know your data is on the cloud, and from there it's just as simple as serving a warrant to the company, who will happily comply since they don't care about you. In fact that can happen and you can keep going on doing whatever it was you were doing, whereas if they had to physically take your media you'd (obviously) know that they were on to you.

Reality Check (4, Funny)

baeyogin (461380) | more than 3 years ago | (#32703752)

http://xkcd.com/538/

Re:Reality Check (1)

baeyogin (461380) | more than 3 years ago | (#32703836)

If the records are that important, they could be archived for a little while until the encryption becomes easily breakable (for example, using quantum techniques). The $5 wrench will probably work long before then though.

Access codes? (1)

roman_mir (125474) | more than 3 years ago | (#32703770)

The FBI failed to break the encryption code of hard drives seized by federal police at the apartment of banker Daniel Dantas, in Rio de Janeiro, during Operation Satyagraha. The operation began in July 2008. According to a report published on Friday (25) by the newspaper Folha de S. Paulo, after a year of unsuccessful attempts, the U.S. federal police returned the equipment to Brazil in April.

According to the report, the fed only requested help from USA in early 2009, after experts from the National Institute of Criminology (INC) failed to decode the passwords on the hard drives. The government has no legal instrument to compel the manufacturer of the American encryption system or Dantas to give the access codes.

Isn't that interesting, they can't get 'access codes' from the manufacturer. Why should there even be any access codes, is this just an assumption that there are codes like that for those encryption providers or is this a fact?

Re:Access codes? (0)

Anonymous Coward | more than 3 years ago | (#32703932)

Isn't that interesting, they can't get 'access codes' from the manufacturer. Why should there even be any access codes, is this just an assumption that there are codes like that for those encryption providers or is this a fact?

I would say that is probably an assumption on the part of whoever wrote that article, whether through ignorance or because their tinfoil hat is making their brain run a little too hot I cannot say.

US Laws? (1)

gsmalleus (886346) | more than 3 years ago | (#32703786)

No Brazilian law exists to force Dantas to produce the password(s).

If this were to happen in the US, are there any laws here that would force us to give up our passwords?

Re:US Laws? (4, Informative)

hedwards (940851) | more than 3 years ago | (#32703854)

Not without violating the 5th amendment. If you can get the key via keylogger or malware it's fair game, otherwise they have to willingly provide it or you've got to crack it. But the constitution as it stands, does not allow the authorities to compel a suspect to produce the files.

Re:US Laws? (1)

bsDaemon (87307) | more than 3 years ago | (#32703860)

They could probably charge you with contempt of court and hold you until you comply. Are you really willing to sit in jail forever for not giving up the password if the crime you're accused of committing has lower sentencing guidelines?

Re:US Laws? (1)

greylion3 (555507) | more than 3 years ago | (#32703984)

What if; you're innocent, but have forgotten the password?
You get to rot in jail for the rest of your life?

Re:US Laws? (1)

bsDaemon (87307) | more than 3 years ago | (#32704044)

Can you /prove/ you /really/ forgot the password? Can you prove you're not faking? Without the password, you can't access the data either, so how can you prove you're innocent? Sounds like a trick to me. *slams gavel*

Re:US Laws? (1)

Rich0 (548339) | more than 3 years ago | (#32704140)

Welcome to the new US justice system. We don't call it presumption of guilt, we call it contempt of court. We don't call it denying access to a jury, we call it administrative law.

The US Constitution is a relic of a time that passed 50 years ago...

Validating technology (4, Interesting)

gmuslera (3436) | more than 3 years ago | (#32703852)

This say plainly that if you encrypt your info with the right, cheaply available technology, not even the FBI could get it, no matter what is it, or who you are. How much time now till some law around criminalizing the use of encryption gets approved?

Re:Validating technology (5, Insightful)

kylemonger (686302) | more than 3 years ago | (#32703950)

The FBI can't crack it, true, but crypto is rarely the weakest link. Can you prevent the FBI from installing a keylogger on the computer you use to access the drives? Can you prevent them from installing a camera somewhere that records your keystrokes, or records your computer screen? It sounds like they moved on this guy too soon. If you need a brick of encrypted data to make your case against a white collar criminal, that's just lazy police work. If you build enough of a case against him beforehand, he'll give you the key as part of a deal to reduce his jail-time. Then you can use that data to go after the next leve of baddies.

Re:Validating technology (1)

Sir_Lewk (967686) | more than 3 years ago | (#32704104)

We've had encryption this good, or close to it, for decades now. And if looking back, if anything it is likely that laws concerning cryptography will continue to get weaker and weaker, as they have been doing. This stuff used to be heavily export controlled, not so much anymore. Just look at the history of PGP.

this is obviously disinformation :) (4, Insightful)

Anonymous Coward | more than 3 years ago | (#32703900)

... if I were the FBI and I could decrypt TrueCrypt, I'd not admit it and hope everyone keeps using it.

Van Eck? (0)

Anonymous Coward | more than 3 years ago | (#32703930)

Perhaps they should just let him use it and "van eck" his ass... errr his computer's ass. Did they try hookers and drugs? That always works with our government people - agencies, representatives et. al.?

Not a surprise (1)

gweihir (88907) | more than 3 years ago | (#32703966)

Modern encryption done right cannot practically broken at this time. However, many people do it wrong. You need something like 64 bit passphrase entropy to be secure, better 128 bit. As English gives only about 1.5 bit/char, that means a secure passphrase should have something like 90 characters with a minimum of around 45 characters. With random digits/letters, you can do better, for example 12 digits/letters just fulfill the minimum requirement.

given time (0)

zonker (1158) | more than 3 years ago | (#32704098)

As long as there are no statute of limitations preventing it they can still go after him. Given enough time 256 bit encryption will likely become weak enough to brute force it as computing power grows. It might take 20 years but it's possible. That is assuming he's still around by such time...

Here we go again. (1)

penguinman1337 (1792086) | more than 3 years ago | (#32704114)

How much you want to bet that this is going to bring up the whole law enforcement backdoor issue again? Where they try to get laws passed requiring all makers of encryption software to put in law enforcement backdoors so they can instantly get at your personal files. This issue seems to keep popping up whenever they run into problems like this. And, btw, what is the FBI doing going after a brazilian national anyway? Isn't that slightly out of their jurisdiction?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...