Suspect Ordered to Decrypt His Own Data

http://www.wired.com/threatlevel/2013/05/decryption-order/

First off, child pornography is a disgusting crime and anyone involved in the production or distribution of this type of material is not only a worthless human being, but should be rotting away in jail.

With the above said, this case has far reaching implications for any US Citizen who uses Hard Drive encryption to protect sensitive or personal information.

If you haven't already read it, here is a link to the court order demanding that this idiot decrypt his own data:

http://www.wired.com/images_blogs/threatlevel/2013/04/fedswantdecryption.pdf

Any competent individual would just simply say they forgot the password(s) during the course and stress of the trial.

I do find it interesting on page 4 (first continuous paragraph) where the prosecution states that the FBI CART and CEAU divisions were UNABLE to break the encryption.

However, I do find it interesting on Page 5 where the prosecution states that "important data may be lost during attempts to break encryption for a number of reasons. Some high security encryption protocols, such as those the FBI believes Mr. Feldman has employed, automatically lock up, erase stored data or even render themselves non-functional if too many incorrect guesses are made at the password."... Unless the encryption uses a mil-spec format procedure, the so called "erased data" would be recoverable and what FBI guy is going to let a hard drive sit in it's originating computer where the "encryption program" is potentially going to have access to run a wipe program (which takes HOURS to complete). I don't believe there exists any form of stand-alone encryption tool that can wipe a drive while it's been physically removed from its originating computer (feel free to correct me if I am wrong).

Page 6 goes into more detail defining this data destruction technique as the basis for requiring this guy to decrypt his data. Personally, I'm a long-time user of TrueCrypt and there exists no means by which this can be reliably performed. Truecrypt containers (on a stand-alone USB HD, for example) are passive and I'm unaware how any encryption program could run on a stand-alone drive to render the data useless or non-functional. Correct me if I'm wrong, but the whole basis for the Government's argument is just nonsense..

On page 17, you'll notice at the bottom it states that this dudes Laptop (storage device "a") was NOT encrypted. Let this be a lesson to anyone who utilizes encryption - if you are going to encrypt a few of your HD's - then you should probably encrypt ALL of your hard drives. It seems they pulled some peer-to-peer usage logs (eMule) from his unencrypted laptop and are using this as evidence to warrant the decryption of his encrypted portable HD's... TrueCrypt whole disk encryption is your friend - unless you are a pedophile.

Page 18, bullet item 17 demonstrates how incompetent and lacking in knowledge the Prosecution really is.... Confusing encryption software that will "destroy your data after too many bad passwords are entered", with a manufacturing warning that "if you forget your password you'll loose your data" is freaking comical!! And these idiots get to decide the fate of our privacy rights and make/change judgments and/or laws concerning them.. Very frustrating. I guess the take-away from this paragraph is that the FBI doesn't have a back-door method for decryption of Western Digital SmartWare encryption Software. Regardless, I will still use TrueCrypt. ;-)

Page 20 describes just how sick and twisted this guy really is... Personally, I hope this idiot goes to jail and gets ~ Snipped as per TOS ~ every day of his sentence.

My hope is that everyday normal (ideally non-pedophiles) won't be forced (by precedence of this case) to supply their data encryption passwords under suspicion of wrong-doing while in or attempting to enter the US (or any country for that matter).

 

All of his drives used hardware-based encryption.

The Maxtor BlackArmor drives use hardware-based encryption. The particular MyBook drives he used also utilize hardware-based encryption. The FBI report talks of the self-destruct, self-erase mechanism being a hurdle. Again, that's only a problem with hardware-based encryption.

http://computersciencelabs.blogspot.com/2010/11/256-bit-based-hardware-encryption-on-wd.html

http://www.seagate.com/about/newsroom/press-releases/lock-it-up/

I understand the disgust at what's being kept secret. But that's not the point here.

Also, notice that the forensics team pulled up all the external devices and file names because of shellbags.

 

Don't we have a Hardware .vs Software thread here somewhere?

What drive did they decrypt? A Black Armor?

Somebody got to the Judge, IMO. Maybe not, the decryption of one drive may be a legit tactic, I don't know...we need the Supreme Court to decide something on this subject. You can make it so that you *can't* decrypt your own data.

PD

 

It would be ridiculous to NOT point out in this thread what was used. The fact that it involves something in another thread has nothing to do with it.

It's a simple court order that doesn't mean a thing. You appeal and it will get struck down like all the other similar cases on 5th amendment grounds. It's just a pressure tactic.

I'm having to hold back my feelings on the actual details of the case because it's revolting. But the legal principles involved are very important.

`

 

I was curious to find out more about the feds efforts. So i got the PDF. I was surprised at these statements.



We don't know how many wipes he used, or the method/software, but it "seems" to have worked. The PW's recovered from the unencrypted areas, appear to be in regular characters. Unless he used more sofisticated ones for the encrypted drives etc, i would have thought that 8 - 10 weeks was more than enough time to decrypt them. Especially with the tools etc at their disposal ?

Also from what i've read about other cases in the past, forensics are supposed to clone the original media, & then analyise etc them. The PDF sounds like were analyising the original media ?

Wonder how this will pan out ?

It's only fairly recently that a lot of us on here have been made aware of SB's. And this proves how invaluable they "can" to forensics/snoopers etc.

I missed that ! It's strange he would use a less strong PW on one ?

 

Ok, clearly I needed to better understand Hardware Encryption. Although I have a couple SSDs that have that ability, I always figured the manufacturers imposed a Government required backdoor and thus personally have always gone with open-source software based encryption utilities.

After reading up on Hardware encryption, isn't this precisely a feature whereby you can NOT clone the drive and perform analysis?

 

Ahh, your'e probably right But one of the drives was a USB, so that "might" be different ?

 

No, you absolutely cannot clone (image) a drive with hardware encryption. The processor is actually embedded (potted) within the casing of the external drives. All encryption is handled on the device. Any tampering of the area around the chip will result in an auto-erase. The cryptoprocessor and the encrypted data are married. Can't have one without the other.

A discovered backdoor would ruin the enterprise business for these manufacturers. Not to mention they clearly state there are no backdoors. For any company to deploy these and find out there is a backdoor would be grounds for fraud suits against the manufacturer.

 

Shellbags are another reason for WDE and especially a hidden OS to boot.

Windows makes it impossible to conceal your tracks if an adversary gets "hands" on the OS itself.

 

For the record, my pointing out the other thread, had nothing to do with the relevance of this one. I wrote that, because I originally thought they got into a hardware encrypted drive and thought it was funny that some preferred hardware over software in that other thread.

I absolutely agree 100%...what this guy did, is irrelevant. If the Bill of Rights falls, the country falls.

I still want to know what they "decrypted"? Did they get lucky with his pass scheme on one...but the others are different and they reached the limit before wiping?

Now think about this: If this was TC, they could image and work on copies till the cows came home. I wonder if the *lack* of destruction, would have given the judge pause over compelling the defendant?

Finally: Kind of proof that you better just TC the whole darn computer. It seems if there is no other external way for them to know what is on the computer...passwords aren't compelled, IMO.

PD

 

Yup...neither does Ubuntu. I found many traces on a default install, with Zeitgeist, etc...

PD

 

The same with Bitlocker and other closed-source implementation of AES 128/256bit encryption.

 

Looks like Shellbags is turning out to be quite something !

@ LockBox

Thanks for the info

 

Using a LiveCD (no system hard drive) with hardware-encrypted data drives would be quite secure, no?

I wonder if one can prevent the drive passphrases from being cached in system memory.

 

Also, don't name your user account *your name*. I love these indictment sheets, etc... They offer up so many clues on what not to do

PD

 

A hidden OS won't help if you're compelled to decrypt it or provide the password (rubber hose, jail time). It won't help if you're caught with that hidden OS active either.

IMO, using WDE for this purpose is little more than a attempt to circumvent the real problem, an OS that stores such data to begin with. Shellbags for example were not a problem until XP. Win 98 and 2000 didn't use them. This is one of the main reasons that some of us don't want to "upgrade" to the latest versions of a spyware OS. Depending on how you define it, security is a double edged sword. Choose your poison.

 

You have a point about the fraud suit (if indeed they explicitly state there is no backdoor)...but to just assume a backdoor would ruin a business, this was already debunked here relatively recently.

 

The Wikipedia article has a summary on Crypto AG Back-doored machines. This part struck me:

I'm sure "interrogated" is putting things mildly and what a wonderful way for the company to treat him upon release.

 

I'm so tired of hearing about the Crypto AG story. This happened 20-30 years ago. Encryption is not just for government cables and the few anymore. It's 2013. There would be a huge difference in the reaction of backdoored encryption products from then until today. Apples and Oranges.

 

New Argument in Forced-Decryption Case: Defendant’s Memory Is Ticking Clock.

-- Tom

 

You can always argue you don't have a password. It's not possible to prove your remember something.

There needs to be laws to protect against this for that reason alone. What if i did forget my pasword? I go to jail because I honestly can't remember it?

 

I agree with you, but just make it so you don't know a certain part of the pass phrase. Your lawyer and his tech expert can easily convince the judge that the molten, shreded, what used to be a YubiKey...was the only way in. Here's the half I know- "abc123" Why'd I do it? Doesn't matter, talk to my lawyer ("psssst...but I did like to photograph myself wearing high-heels...I was embarrassed your honor")

PD

 

Ha! I already do the yubikey part. highly recommended. Would take no more than a few seconds to destroy or "lose" a yubikey.

 

Is there an Open Source equivalent to yubikey?

 

It's just a keyboard, basically. Don't know about open-sourced hardware. It has no sending capabilities. What are you thinking, as far as security vulnerabilities / backdoors?

PD