Yeah, but if you really want to be safe and don't want to go through the hassle of encrypting your whole disk and potentially losing everything to a forgotten password, just buy a solid state drive. Even without encryption, solid state drives make digital forensic scientists' jobs a biatch. The garbage collection routines most firmwares will do preemptively to negate the throughput hit of having to wipe a block when data is waiting to be written to it means you don't even need to have the drive connected to a computer (just supplied power) to ensure "deleted" data will inevitably be irrecoverably wiped from the drive.

FTA

"Adding to the frustration, at least on the part of law enforcement, is the fact that they can't force people to give up their passwords."


For the Authoritarian pricks:
Gee, you're breaking my heart Earl, you really are... So what I'm gonna do is instead of letting you break my heart, I'm gonna break your bones until you tell me your password, K? I'll give you a count of 1...2.... hey was that so hard?


For the Libertarians:
"If it's in my brain it's my property" is a valid defense here. I have the right to not incriminate myself, and the fact that we have a culture that has been indoctrinated that the 5th amendment is horrible, evil and wrong, that fact hasn't, won't, and hopefully will not ever change.

For the Democrats:
"Well it was the governments property all along, so I see no reason not to give it out..."

For the Republicans:
"Hey, Rush said not to..."

there, I think I got all my trolling out of the way for the week.

Bio-nic: FTA

"Adding to the frustration, at least on the part of law enforcement, is the fact that they can't force people to give up their passwords."


For the Authoritarian pricks:
Gee, you're breaking my heart Earl, you really are... So what I'm gonna do is instead of letting you break my heart, I'm gonna break your bones until you tell me your password, K? I'll give you a count of 1...2.... hey was that so hard?


For the Libertarians:
"If it's in my brain it's my property" is a valid defense here. I have the right to not incriminate myself, and the fact that we have a culture that has been indoctrinated that the 5th amendment is horrible, evil and wrong, that fact hasn't, won't, and hopefully will not ever change.

For the Democrats:
"Well it was the governments property all along, so I see no reason not to give it out..."

For the Republicans:
"Hey, Rush said not to..."

there, I think I got all my trolling out of the way for the week.

For the Paul-tards:
RON PAUL


ftfy

Came for XKCD, left happy.

Well, there's always waterboarding as way to extract information...

Oh great, the government will start waterboarding us to get to our online pr0n stash...

/not*gurgle,*ack*,inna*gasp*million*pfft*years*dribble*

pyrion: The garbage collection routines most firmwares will do preemptively to negate the throughput hit of having to wipe a block when data is waiting to be written to it means you don't even need to have the drive connected to a computer (just supplied power) to ensure "deleted" data will inevitably be irrecoverably wiped from the drive.

I know what each word means individually, but as a group. . . wow. My brain is bleeding.

I am highly sceptical about how law enforcement agencies make a big noise about how they can't crack freely-available encrytption. They're all like "Ohhh noooes! PGP!!! Oh nooeees! Truecrypt!!!" I reckon they can crack them or have backdoors and are just lulling us into a false sense of security so we don't move on to something better.

Sooo, only criminals need to encrypt their data now?

t3knomanser: Bio-nic: "Adding to the frustration, at least on the part of law enforcement, is the fact that they can't force people to give up their passwords."

I'm not sure why the article claims this- it's not true. Courts can subpoena encrypted documents, and you must provide the key to unlock those documents. Failure to do so puts you in contempt of court, which means that the judge can hold you in custody until you comply or they get bored with you, whichever happens first.

Suede head: I reckon they can crack them or have backdoors

A long time ago, someone noticed that publicly analyzed encryption systems were stronger than ones you made up and kept secret. "Anyone can create a cryptosystem so good he can't break it himself," is the old saw. So, as dlp211 points out- governments use the same crypto that we do. There have been a few cases where the NSA tried to foist substandard implementations off on Windows, but they were quickly found out and corrected.

Not to be cynical, more curious.

Any citation on the forced to give the key thing.... Especially since one is exercising their right to remain silent.

As I said, if it is true, I would like to be able to reference it

Still weak against rubber-hose cryptanalysis and related attacks.

Personally, I miss the days when the US government decided that cryptography was a type of weapon and thus should fall under certain export restrictions. They should have stayed by that and made everyones life easier by opening themselves up to 2nd amendment argument.

dlp211: DORMAMU: Any citation on the forced to give the key thing.... Especially since one is exercising their right to remain silent.

This is still 'new' territory but this was the first hit from google: Link (new window)

It's like a safe deposit box. If a warrant is issued for the search of the box, the defendant is compelled to give up the key, if the defendant 'can't remember' where s/he placed that key, they can keep you in prison until you remember or they break open the box.

As computers, and more importantly, GPU's become more powerful, encryption will need to seriously evolve or it will become easily cracked. It actually may make sense to keep someone for 10 years in contempt of court and then crack the HDD then when the necessary processing power becomes cheap enough in order to crack the encryption.

There has been no ruling in the case you cited. Precedent is that you can be forced to produce the physical key to a physical lock because the mey is an object. Precedent is that you CANNOT be forced to produce the combination to a safe because that is testimony about the contents of your mind and the fact that you know the combination.

Britney Spear's Speculum:

For the Paul-tards:
RON PAUL


Password accepted! Decrypting. . .

itsdan: Which is why you use TrueCrypt's "plausible deniability" feature. One password opens a junk container that you toss some things like credit card numbers or passwords in, things a person might want to encrypt, a second password opens your 'real' container, with whatever you're trying to hide.

I was just wondering about this. Couldn't you have a real password, plus a password that serves as a command to both decrypt innocuous data and delete everything else? At most they could get you with destroying evidence, perhaps.

What's the runtime overhead of encrypting a disk, these days?

Or so they would have you believe...

Suede head: I am highly sceptical about how law enforcement agencies make a big noise about how they can't crack freely-available encrytption. They're all like "Ohhh noooes! PGP!!! Oh nooeees! Truecrypt!!!" I reckon they can crack them or have backdoors and are just lulling us into a false sense of security so we don't move on to something better.

Open source encryption software is vetted by some of the most brilliant cryptologist is the world on a regular basis. The software source gets a going over frequently, and they take it very seriously. Unlike the US where the most you are talking about is prison, these programs are frequently used in countries where what you say is enough reason to kill you.

Encrypt everything, whether you have anything to hide or not. The more encrypted data and email there is, the less likely anyone is going to be singled out as suspicious for using encryption.

Ever wonder why idiots and despots are against it?

t3knomanser: dlp211: This is still 'new' territory but this was the first hit from google: Link (new window)

There's also In Re Boucher which establishes the precedent that encrypted data can be retrieved by the court.

But only if the defendant has in prior shown part of that data to law enforcement. I see you didn't bother to completely
read the article you linked to.

Britney Spear's Speculum: For the Paul-tards:
RON PAUL


ftfy

Ahh, So sorry, knew I was forgetting one...

DORMAMU: Not to be cynical, more curious.

Any citation on the forced to give the key thing.... Especially since one is exercising their right to remain silent.

As I said, if it is true, I would like to be able to reference it

There is currently a case going through the courts where a man was stopped at a Canadian checkpoint coming into the country, upon inspection of his at that point unlocked laptop, he customs agents found what they believed to be CP on his computer.

Being idiots, the customs agents took him into custody AND POWERED DOWN THE COMPUTER for safekeeping/evidence.

Now, he had encrypted the data on his workstation and password protected it. Now the authorities only have a "he said she said" case without forcing him to decrypt his data. He is refusing and I think is still in jail for contempt.

The long and the short of THIS is - power down all your equipment and make sure it stays powered down through the checkpoints, kids.

LockeOak: I was just wondering about this. Couldn't you have a real password, plus a password that serves as a command to both decrypt innocuous data and delete everything else? At most they could get you with destroying evidence, perhaps.

Any certified forensic IT specialist is going to do a drive image of your machine the minute they get it into the office - that way when you "forget" and delete your data, the nice men in blue can hand you another one and say "here, try again."

Also remember that destruction of evidence itself is a class A felony in most states. They can't put you away for life, but they will try to put you away for a long time.

Ive read a bit into this already, mainly when researching truecrypt.

Currently the password is being accepted as deniable through the 5th amendment. Under normal cases (illegal software, child porn) the cases have generally been abandoned, but cases where extortion is involved (Huge money loss, large business effected ), they are able to hold you indefinitely.

JeffMD: Ive read a bit into this already, mainly when researching truecrypt.

Currently the password is being accepted as deniable through the 5th amendment. Under normal cases (illegal software, child porn) the cases have generally been abandoned, but cases where extortion is involved (Huge money loss, large business effected ), they are able to hold you indefinitely.

Amazing how it gets all important the minute money is involved -.-

"oh, he had photos of kiddies diddling on his computer, but we got no evidence, let him go"

"Oh god, he stole money from the corporation, STRING HIM UP UNTIL HE SQUEALS..."

I'm a bit of a computer geek but I've never gotten into encryption or anything else because I haven't seen the need. Now, I assume there is some way for a seriously paranoid person to be able to wipe a drive if the wrong password is given? What about the ability to have a drive wipe itself if a password isn't supplied every X hours/days? Or change the firmware on the drive itself so that if it isn't connected to your own computer then it begins wiping data?

I find it all a bit fascinating, because if the above is possible then it'd be like a movie. A hybrid of Speed (can't change computers) and any movie with a countdown timer until something explodes. A very boring movie though, watching people sit there guessing passwords non-stop, or a room of people brainstorming over the possible password. Could be like 12 Angry Men but call it 12 Angry Nerds! My god, I gotta call Uwe Boll, I've got his next movie idea!

Who the hell is so retarded as to not know this? That is the point of encryption software, and since it's based in mathematics not in government clout, no, just because you're a federal agency does NOT mean you get free access to everything that's encrypted.

pyrion: Yeah, but if you really want to be safe and don't want to go through the hassle of encrypting your whole disk and potentially losing everything to a forgotten password, just buy a solid state drive. Even without encryption, solid state drives make digital forensic scientists' jobs a biatch. The garbage collection routines most firmwares will do preemptively to negate the throughput hit of having to wipe a block when data is waiting to be written to it means you don't even need to have the drive connected to a computer (just supplied power) to ensure "deleted" data will inevitably be irrecoverably wiped from the drive.

I had never thought of using SSDs in this way but this isn't quite the same as whole disk encryption; this is more similar to the security afforded by disk/freespace wiping. Freespace wiping is a PITA though and very slow, unless run on an automated schedule it's certainly more annoying that full disk encryption actually.
I wouldn't trust SSDs to have automatically wiped away sensitive data but it's an interesting artifact of the technology.

t3knomanser: phant0m51: Now, I assume there is some way for a seriously paranoid person to be able to wipe a drive if the wrong password is given?

Of course, but such a thing would be illegal to do if the drive were destroyed in the process of an investigation. All of your ideas are possible, if one wanted to put the effort into it (the firmware one would likely be impractical, since there's no guarantee that you could easily port it to another drive, even the same model (firmware may change between lots), and drives do fail.

I suppose if one were truly paranoid they would buy a ton of RAM and one of those add-in cards to allow one to work entirely in volatile memory.

I had a run in with the police. Fortunately i was using PGPdisk to encrypt my data. What I did was create a 600 megs pretty good disk file and stored anything private in there, including my IE cache. You can easily save all your IE favorites, cookies, cache into an encrypted disk. This way i could backup the file to CD if i needed to.

When i was raided my computer was off. I told them my data was encrypted but i refused to give the password. And that was that. They found a couple minor things reading deleted data, but nothing useful. The report also showed my IE cache was redirected to drive S, but there was no drive S. I highly recommend doing this.

I've been using PGP since the DOS days for two reasons. A) I don't want to be the guy who gets his laptop stolen with a ton of client data on it, and B) the more people who use encryption regularly, the less likely it is to draw attention. I think *everyone* should be using encryption, especially in an era where governments and business seem dead set on data mining everything they can get their hands on.

dlp211:

whither_apophis: Kind of a crypto-newbie question: for encyption software is your password the key itself or is it just the authorization to tell the software to encrypt using an internal/unknown key?

Your password is the key. The way it works is that based on your password and the encryption algorithm it encrypts your data.

Basically is your password is 7 and your data is 1 it makes your data say it is 8. If your data is 2 then 9 etc. Now obviously it is not that simple.

Now the strength of the encryption is two fold. The strength of your password doesn't effect the encryption method and thus the actual encryption is extremely strong. The strength of your password effects the ability to reproduce the key and is therefore the weakness to the encryption method. The stronger the password, the harder it is to replicate.

/very laymen explanation above

That's not *quite* correct with the way it actually gets implemented in most cases.

In most you generate either a single or a pair of keys that are 1024 bits or longer, and this is stored in a key file. You then secure your private key file with a of passphrase.

For example, your passphrase might be your logon password but the actual key used to encrypt would look more like:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.0

mQGiBDeNWRURBADcWVAsNIgOS/WLo7sr6mfk8X0J8oZLatEYZnykLIxcgDSd5QhoydbaH S dd
n+rdenVCKV/HUoMu682PAoIWKVIX54Anz+Bn80r3OUGD4lWNGRqRFA4qTOnpAnAG2BmKU h Kk
14q1HanFiuMuYs0dzGgyIxRNnv7bDeFXuZLarLsVzQCg/zUrwL2wzLf8T49aCFmH65UJU p ME
AJDnUDkJHf7dSs0BaNs5Aertukryogde/dUn6ZA9b2Xc2/Av0OJC6yiwfct7zhOCbo2Eg V Dz
boIaUHdg5YvezTDpzgYAGi00ho2LxfBFrjA1xHaTfEMfic/x64GHOOIKgTx/f1Wf48KOl 4 wj
BRrdW/skHcLB4a3JH8PdyfZR58AHA/9k0GwLkX4ohb5UBx7h4fzPh/hdZHMY8UROVqHna 8 7c
IQwzQWleOXIaGz3HOaGd/WuqLwwWFZfmLaQsSni8QC9f9FHrgKmpOtH8epaxfDmgd2Ryp I Vl
b0GgXx41PSjIVGZcK5yddixeTPvfSx4+HiaREC9Hbt1nLdXKPCZfNcJl0rQfTWF4IEhlY 2 sg
PG1heF9oZWNrQGhvdG1haWwuY29tPohLBBARAgALBQI3jVkVBAsDAgEACgkQ8tppnom0K K KT
OgCdEt6BNSyoUiTOJaCW3oGLNqdRtuwAoKq+HmMzTWce1rr2PYdfzTxQsJjMuQINBDeNW R UQ
CAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz0AfGy0OplK33T G SG
SfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+ b v9
kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbL Y 72
88kjwEPwpVsYjY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEA x nI
Byl6ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICCACqDbz7O 9 MB
v5O5dQNn7AweKPSHOUBB6J506NG/eZ8/wo98h6gTFDejVZGhZxVBsBXwCACRZ2Krf/jBG b mt
7cpl/aey+HYodDKDutfyTZS24WkqVLUjVllCueIzpTDoPsVdT49YiZOP0YXh6DR0lhte+ s q0
ctlTei5dpEbFGxOh9iiWM4uJXzm9TSRbkNSTA9CpWtOog1JKcfklmmPWjlSzmVvFf6019 c kv
Tx3742Hmjb1QljeJ34jBdoX+ysbUHGCGwHggSBDGtP0LWP71BdFkxeNiFQcGd5pdwIM0x y gH
uavT80Eo/YKCydC8Htr6MF/lY6YxX52s/HrD1WM9otL8iEYEGBECAAYFAjeNWRUACgkQ8 t pp
nom0KKIINgCgpGRQJAs5z6d0+VwRIabEXflP2kUAoNuFdJCgG5YU1o+hcwQm7kjotW0+
=mZNA
-----END PGP PUBLIC KEY BLOCK-----

That makes the passphrase the weak point in the whole scheme *if* someone can get access to your private key file, which they would have if they confiscate your hard drive. For that reason the truly paranoid keep their keyfiles on a USB key or floppy.

I never even thought about encrypting my drive. -shrugs- Have done directories for customers and such, but that's about it.

If they want my MMO UI and Plugin settings, they can have them. LOL!