• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Fed Judge: Forcing de-cryption does not violate 5th ammendment

Gazpacho said:
... and, surprise surprise, that is exactly the case here! Because first, the government already has evidence that the defendant uses the computer in question (her name is on it) and second, they recorded a conversation in prison where she admitted knowing that there were encrypted incriminating materials on the computer. It was only after this that the government issued the data warrant. The judge has granted immunity with regard to the act of decrypting the drive:

They can if the defendant voluntarily reveals its existence.
Click to expand...

Oh, didn't realize. This lady is stupid. They can't prove it if you're not stupid.
 
The Dark Lord said:
I agree with almost everything you said. But using multiple algorithms is unessesary. AES 128 is perfectly fine. It will still take many times the age of the universe to brute force if a good password is used.
Click to expand...

Generally true. But since TC is just software, there might be a bug within the implementation somehow. Or the underlying cryptography is some day found to have some weakness, that no one is aware of yet. So it's simply better to not rely on a single crypt, but on a chain/cascade of different ones. Or that for whatever strange reason they get hold of a piece of plaintext of which they know must be in the encrypted, hidden container. Sure, it's unlikely, but i think it's better to err on the side of safety.

Keep in mind that the use for such a software is mainly not to hide dirty secrets, but to hide secrets in general. There are plenty of regimes on this planet, unfortunately, that have no qualms to kill people if they could find out what they have on their computers. Privacy is much more than just "i don't want you to see my stuff, just because". Many lives depend on such systems being safe actually working.

Greetings,

Chris
 
Last edited:
Christian Klippel said:
Not impossible. It is possible: If you use stupidly simple passwords that can be guessed easily. Other than that: Yes.

Read up on cryptography, and then read up on what TC actually does. Really, do it. And then think about your statement again.

Greetings,

Chris

ETA: Here are some pointers for you:

Plausible deniability in TC


Cascades in TC (chains of encryptions)
Click to expand...
You are the one making the statement about TC, not me.
I'm already well read on security thanks, and I'm still skeptical that anything is 100% foolproof.
Your post has done nothing to make me accept blind faith because someone on the internet says so.
 
crimresearch said:
That was a meme among Apple gurus for a looong time.
Click to expand...

Prove it.

And yes. Any security can be defeated given enough teenagers.
Click to expand...

Nope. An encrypted file can only be opened with a key. The key is generated with a password, usually. If your password is say 30 characters long, and use 62 different characters (uppercase, lowercase, and numbers), that is 62^30, or 5.9x10^53 possible passwords. Nobody is going to crack that (if its random). Ever. And the password can be made MUCH stronger by also using special characters and/or making it longer.
 
Christian Klippel said:
Generally true. But since TC is just software, there might be a bug within the implementation somehow. Or the underlying cryptography is some day found to have some weakness, that no one is aware of yet. So it's simply better to not rely on a single crypt, but on a chain/cascade of different ones. Or that for whatever strange reason they get hold of a piece of plaintext of which they know must be in the encrypted, hidden container. Sure, it's unlikely, but i think it's better to err on the side of safety.

Keep in mind that the use for such a software is mainly not to hide dirty secrets, but to hide secrets in general. There are plenty of regimes on this planet, unfortunately, that have no qualms to kill people if they could find out what they have on their computers. Privacy is much more than just "i don't want you to see my stuff, just because". Many lives depend on such systems being safe actually working.

Greetings,

Chris
Click to expand...

Fair enough. I do think it is unlikely there is such a flaw in TC; it would have been found by now. Even more unlikely that there is one in AES. It has been out for what, 14 years for the whole world to see? And nobody has found a practical way araound it.
 
The Dark Lord said:
Fair enough. I do think it is unlikely there is such a flaw in TC; it would have been found by now. Even more unlikely that there is one in AES. It has been out for what, 14 years for the whole world to see? And nobody has found a practical way araound it.
Click to expand...

AE5 is as strong as the password. Four random common words are easy to make a mnemonic for but effectively impossible to crack.
 
SkepticScott said:
No one is preventing access.
Click to expand...
I explained why this is wrong. If they had a locked cabinet with a journal they would have the journal but not access to the journal. Having a drive with encrypted data is not access. In fact, that is the very word that is often used when a password fails "Access Denied". If "access" isn't what is meant then they wouldn't use that word.

They have the data. You want the person to bear witness against themselves by telling the court what the data means.
Click to expand...
Granting access to the data isn't an interpretation. You are making that up. A password isn't information of a crime. It's simply a means to gain access to the data.

And your language thing creative, but one could argue that a physical key is in essence telling the investigators what the information on the journal means.
 
Last edited:
RandFan said:
A password isn't information of a crime. It's simply a means to gain access to the data.
Click to expand...

The location of a dead body isn't evidence of a crime. It's simply a means to gain access to the evidence.
 
Ziggurat said:
The location of a dead body isn't evidence of a crime. It's simply a means to gain access to the evidence.
Click to expand...

Actually, that's not true. Depends on the crime, exactly, that we're discussing.

That bit of (reality) snark aside, go read my other response to you.
 
BobTheDonkey said:
Sure, if by "tell...where the body of a murder victim is" really means "the journal entry I wrote for that night indicates where the victim is and I am required to hand over the key to the cabinet in which the journal is locked".
Click to expand...

No. A key is a physical object, not information. The location of a dead body is information, not a physical object.

Which of those is a password, a physical object or information?

Of course the analogy isn't perfect, but it's not perfect in any direction, and that's my point. This judge has ruled one way, but I think he's making new case law with his decision. That's fine, it's a new enough problem that any real resolution was going to be new case law, but until it hits the Supreme Court, I don't think we should presume that his ruling is definitive.
 
Again: The judge has not ordered disclosure of the password.

A long-standing rule in 5th amendment cases is that the amendment applies to the disclosure of what is in a person's mind, and not to the release of documents simply because the defendant happens to know those documents' contents.
 
Last edited:
Ziggurat said:
No. A key is a physical object, not information. The location of a dead body is information, not a physical object.

Which of those is a password, a physical object or information?

Of course the analogy isn't perfect, but it's not perfect in any direction, and that's my point. This judge has ruled one way, but I think he's making new case law with his decision. That's fine, it's a new enough problem that any real resolution was going to be new case law, but until it hits the Supreme Court, I don't think we should presume that his ruling is definitive.
Click to expand...

My understanding is that the question is whether a warrant can be used to require a person to divulge his/her password. In this, I see no difference between a warrant requiring a person to hand over the key to a cabinet (or front door, etc) in that the person is required to provide access to the item in question.

The password itself is not incriminating (unless as was pointed out before it's "yesIdidit" or something along those lines) and is not the same as divulging where a dead body is located. It's just not on the same level. Hence my distinction of the analogous parts.

Key : password
journal : hdd
dead body : dead body

Ruling that passwords can be "forced" out of a defendant through a warrant I find particularly valid - mostly because a warrant has it's own checks (i.e. due process, probably cause, etc) before being issued.

I don't disagree that this is fairly new ground for the Courts, nor do I disagree that it is writing new jurisprudence (by definition, because it's new(ish) to the Courts, it would have be new jurisprudence), but I don't think it's the 5th amendment (or even 4th amendment) issue that some here are trying to make it out to be.
 
Last edited:
The article link in the OP covers it pretty well, nothing really new brought up in this case.

And the first paragraph of that article is very much on point...

"Sometimes common "street smarts" fail you. Like when you ask the guy who's selling you drugs if he's a cop. Or when you encrypt your hard drive and refuse to unlock it for prosecutors while citing the self-incriminating clause of the Fifth Amendment."


Fail is fail, no matter how many people are convinced of something.
 
Zax63 said:
Enter the alternate password that decrypts all the documentation of your charitable acts and kitten rescues that you were too modest to leave out in the open.

I think TrueCrypt actually has a feature like that.
Click to expand...

Is this what some would term "plausible deniability"?

I use TC but havent happened upon this feature.
 
The Dark Lord said:
Fair enough. I do think it is unlikely there is such a flaw in TC; it would have been found by now. Even more unlikely that there is one in AES. It has been out for what, 14 years for the whole world to see? And nobody has found a practical way araound it.
Click to expand...

Bruce Schneier (et al) note some non-trivial vulnerabilities in usage of TrueCrypt's "hidden volume" implementation of Deniable File Systems:

http://www.schneier.com/paper-truecrypt-dfs.pdf

I don't think the paper points out any fundamental flaws in the actual implementation of TC's hidden volumes, but points out that the environment that has mounted the TC volumes (including the hidden volume) is most certainly not built to maintain the 'Deniable' part of the Deniable File System. Most of the 'non-deniability' flaws are tagged on Windows (surprise!), including:

* Shortcuts (*.lnk) automatically stored in user's 'Recent Files' folder, which include file path, access/modify times, size, and apparently even volume serial number
* Recovery files (i.e. 'temp' files stored by applications like Word to help in crash recovery scenarios) left over after a pull-the-plug-out power outage
* Recovery files (again, stored by apps like Word) which are not securely deleted, and are easily recoverable
* Tertiary apps like Google Desktop that automatically index volume contents, and can even store 'prior versions' of modified files automatically if so enabled.
* In general, it is also noted that TC volumes should not be stored or mounted on journaled filesystems, as info about the existence of the mounted 'hidden volume' could leak into the journal.

The paper is careful to point out that their analysis was done on TrueCrypt 5.x, and that the 'hidden OS' feature introduced in TrueCrypt 6 could go a long way to shoring up some of these issues.

However, I think it's pretty straightforward to see that when your goal is genuine deniability of the 'hidden volume', simply using TrueCrypt and a good password pair isn't good enough - you also have to be VERY careful about how you use it from within the host system. As is so often the case, I'd bet that simple overconfidence in a specific system (like TrueCrypt, for example) is all that's required to mistakenly make it less secure than it could have been.
 
Last edited:
Zax63 said:
Enter the alternate password that decrypts all the documentation of your charitable acts and kitten rescues that you were too modest to leave out in the open.

I think TrueCrypt actually has a feature like that.
Click to expand...

Better to decrypt it to some porn of dubious taste but definite legality. It needs to be something you would plausibly have a reason to hide, without being something that would get you into trouble. Sit in jail for a few weeks, then give in and decrypt it to a hard drive full of granny porn; they're more likely to buy that than if it decrypts to kittens, and they'll stop looking for your secret plans for world domination and the location of the secret island base.
 
You must log in or register to reply here.

Back
Top Bottom