Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Judge orders defendant to decrypt PGP-protected laptop - CNET News

From: Aarón Mizrachi <unmanarc () gmail com>
Date: Wed, 18 Mar 2009 04:34:19 -0430
On Sábado 07 Marzo 2009 18:14:51 Shailesh Rangari escribió:

Steve,

I agree that their is a real possibility that a said user may forget
the password owing to numerous reasons,
But I am not aware of any technique that can prove beyond a reasonable
doubt that the user has really forgotten his password or is pretending
it to avoid a sentence.
Seems like the case is bound to set a precedent in the interpretation
of this law. Any which ways it would be worthwhile to observe whether
the US courts follow a similar course of action as their UK
counterparts.



two factor authentication with micro-sd memory card that you preserve all the 
time with you, and can be eated when you feel angry, or can be incinerated if 
you smoke it on a cigar, or simply drop it. this sd memory card will contain 
bootstrap and encrypted key for two-factor cypher.  

http://upload.wikimedia.org/wikipedia/commons/8/8a/Cigar_tube_and_cutter.jpg
(Over 200 celsius degrees!!!)

Then, the hardrive will only contain: RANDOM DATA.

This is plausible?, this could be insulting for the judge, but, you must 
allegate that before the raid, you do an "cat /dev/urandom > /dev/sda1" for a 
mantainance pourporse from a live cd... (i really didit before sell my 
harddrive to prevent credit card and other private info leakeage).

Look at: 
http://www.guardian.co.uk/technology/2009/jan/08/hard-drive-security-which

This is plausible. You didn't consider your hard-drive as evidence before the 
judge starts, because you never didit anything barely legal.

Another plaussible act are say that this 8Gb partition are an encrypted swap 
used by a secure live cd that you use. (There is to know that encrypted swap 
uses a random key and looks like random data). You can have the secure live cd 
and demostrate how it works.

-----------------
Everything depends on how you preserve and protect the microsd card... 

Fact: Microsd card have 11mm x 15mm x 1mm, can be easly destroyed with medium-
high temperatures (85 celsius degrees)....

http://www.kingston.com/flash/securedigital.asp?id=2
-------------------



It is also kind of interesting that the UK courts follow a course of
action which almost deters users from using encryption for the fear of
forgetting keys that may lead to a sentence.
That leaves people in UK the option of using Key Escrow Encryption
scheme only.

Shailesh

On Mar 7, 2009, at 5:10 PM, Stephen Mullins wrote:

Is it not plausible that he forgot his key phrase after a year of not
typing it?  A twenty to thirty character key phrase is pretty easy to
forget if you don't use it frequently.  Frankly, I'm pretty sure that
after a year I'd have forgotten a 20 to 30 character key phrase,
especially if it was a truly strong pass and not based on natural
language or 1337.

The problem with this is that it takes us to where the U.K. is today -
refusing to hand over passwords on demand to the police results in a
minimum sentence of 2 years in prison.  This is essentially a defacto
ban on encryption technology by virtue of the risks of forgetting a
password being so great that it simply does not make sense to use it
at all.

I don't like where that leads.

Steve Mullins

On Fri, Mar 6, 2009 at 3:55 PM, vulcanius <vulcanius () gmail com> wrote:

IANAL but in my opinion there isn't an issue of self-incrimination
anymore. If it's true that he allowed the border agents to search his
laptop initially then he has, in my limited knowledge I believe,
waived certain rights.

On Thu, Mar 5, 2009 at 8:33 PM, Shailesh Rangari <shailesh.sf () gmail com


wrote:

Its strange that the act of revealing the password has essentially
been termed underprivileged by the courts in the mentioned case.
The Supreme Court on earlier occasions has termed acts of
providing fingerprints, blood sample etc. underprivileged because
in principle they do not reveal a persons thoughts or knowledge of
a particular fact and also because possession of ones own
fingerprint is an undeniable fact.

In case the Supreme Court concurs with the decision of the
District Court the options Mr. Boucher would have are interesting -

1) Self Incriminate - by providing the password that is known to
Mr. Boucher which in turn would turn testimonial of his knowledge
and control over the said laptop and its contents
2) Perjury - by lying on oath that he does not knows the password
that can be proved otherwise by the ICE Agent for he found the
laptop sans the encryption
3) Contempt of Court - by rejecting both the options mentioned above

Regards,
Shailesh

On Mar 3, 2009, at 1:00 PM, tvlillard () msn com wrote:

Reference below is an interesting article concerning a Judge's
order to decrypt of a harddrive.


Judge orders defendant to decrypt PGP-protected laptop - CNET News

URL: http://news.cnet.com/8301-13578_3-10172866-38.html


Federal court orders defendant accused of having illegal data on
his laptop to type in his PGP passphrase so prosecutors can
access decrypted files.


Thanks
Terrence



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized 
certs available, online computer forensics training available.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: