Forgot your password?
typodupeerror
Crime Encryption Privacy

FBI Failed To Break Encryption of Hard Drives 486

Posted by kdawson
from the deploy-the-quantum-computer dept.
benoliver writes to let us know that the FBI has failed to decrypt files of a Brazilian banker accused of financial crimes by Brazilian law enforcement, after a year of attempts. Five hard drives were seized by federal police at the apartment of banker Daniel Dantas, in Rio de Janeiro, during Operation Satyagraha in July 2008. (The link is to a Google translation of the original article in Portuguese.) The article in English mentions two encryption programs, one Truecrypt and the other unnamed. 256-bit AES was used, and apparently both the Brazilian police and the FBI tried dictionary attacks against it. No Brazilian law exists to force Dantas to produce the password(s).
This discussion has been archived. No new comments can be posted.

FBI Failed To Break Encryption of Hard Drives

Comments Filter:
  • by Joe The Dragon (967727) on Saturday June 26, 2010 @02:39PM (#32703674)

    is waterboarding next to get the info?

  • by countertrolling (1585477) on Saturday June 26, 2010 @02:45PM (#32703716) Journal

    That's not offtopic. If they want the info bad enough, that is what they will do. And nobody will be able to prove a damn thing.

  • by petes_PoV (912422) on Saturday June 26, 2010 @02:46PM (#32703734)
    If I wanted to create a decoy I'd just dump some output from /dev/random onto a disk partition and let the government try decrypting that for a few years (so long as they don't hold me in jail in the meantime). It seems that no matter how much you protest that a block of 0's and 1's isn't an encrypted file, it's just random noise, the only way to prove it, one way or the other, is when / if someone actually cracks it.

    Could take a while.

  • weird (Score:3, Insightful)

    by roman_mir (125474) on Saturday June 26, 2010 @02:47PM (#32703750) Homepage Journal

    I thought this [xkcd.com] was not just a sound idea but a law.

    Great stuff though, but expect some new laws by government that make it illegal not to provide your password/keys to the government upon a court order and if you don't provide it, expect an assumption of guilt and some extra punishment. I am not saying it's right, just saying that's probably going to be one of the outcomes of this.

    Of-course the problem is that they got the drives physically (not that I am necessarily on the side of a allegedly corrupt banker, but I am not automatically assuming he is guilty of anything either.) Here is a good application for the 'cloud' (yikes) - keep your encrypted data so that nobody can even know it exists in the first place.

  • Re:Wrong Agency (Score:2, Insightful)

    by Anonymous Coward on Saturday June 26, 2010 @02:55PM (#32703804)

    *offers b4upoo a roll of tinfoil and a bag containing 26 scrabble tiles*

  • by slimjim8094 (941042) <[slashdot3] [at] [justconnected.net]> on Saturday June 26, 2010 @02:58PM (#32703824)

    To be fair, the US FBI probably *should* be US-centric. We already have a whole group of people who do the same thing, but specifically *not* US-centric.

  • Re:Wrong Agency (Score:5, Insightful)

    by Anonymous Coward on Saturday June 26, 2010 @02:58PM (#32703828)

    Other agencies such as NSA can probably crack that encryption with ease if not instantaneously

    Stop believing in spy movies.

  • by hedwards (940851) on Saturday June 26, 2010 @03:01PM (#32703844)
    Presumably, they're looking for evidence, and based upon the effort they're going to, I suspect that they might not have a case without whatever is on the disks. Assuming that there's something on there that incriminates him. Which is why the 5th amendment protects the key.
  • by swilver (617741) on Saturday June 26, 2010 @03:01PM (#32703846)

    How will you get out of jail though?

    Give them the password? You can't since it is random data.

    Tell them it was random data? Sure... we believe you! Now give us the password @#&*$!

    This does show though that proving that something is not random data would be very important before they try waterboarding a password out of you :)

  • by Tumbleweed (3706) * on Saturday June 26, 2010 @03:07PM (#32703880)

    How will you get out of jail though?
    Give them the password? You can't since it is random data.
    Tell them it was random data? Sure... we believe you! Now give us the password @#&*$!
    This does show though that proving that something is not random data would be very important before they try waterboarding a password out of you

    It depends on what your goal is. If your goal is to hide your secrets to stay out of jail, this may be a bad way to do it, especially if they torture you.

    If your goal is, however, to keep your drug lord employer's secrets, otherwise they'll torture and kill your entire family, that's another thing entirely.

  • by Anonymous Coward on Saturday June 26, 2010 @03:10PM (#32703900)

    ... if I were the FBI and I could decrypt TrueCrypt, I'd not admit it and hope everyone keeps using it.

  • Re:Wrong Agency (Score:3, Insightful)

    by rolfwind (528248) on Saturday June 26, 2010 @03:10PM (#32703904)

    The FBI has never been a leader in computer technology. Other agencies such as NSA can probably crack that encryption with ease if not instantaneously. I have often wondered if these encryption programs were not let lose by our government so that they would always be able to examine file contents. As far as I know only a program that uses a one time pad is truly secure and I feel that even that would be suspect unless one took the time to create his own pad.

    The government has a vested interest in appearing a lot more competent or advanced than they are. Then I look at the Gulf Oil Spill and know otherwise.

    If the NSA could have unlocked it for them, I believe the FBI would have been there in a split second. They probably already asked.

    Gotta ask, does AES have a backdoors that they can go "compell" an organization to give them the keys to it? Seems like shaky ground to secure data on, but the article mentions it.

  • by petes_PoV (912422) on Saturday June 26, 2010 @03:14PM (#32703926)
    Yes. It does make the possession of random data illegal. Since "they" will assume it is encrypted, even though they can't prove it they will demand a password from you. Since you cannot comply you are deemed to have done something illegal. This is one of the few areas of law where you have to prove your innocence. And the only way to do that is to surrender a password (if there was, actually, one) which could just make you guilty of a different offence - depending on what it was you wanted to keep encrypted.

    If there is ever a case along the lines of: "Well, m'lud the prosecution have not proved there are any encrypted files - it's just a block of encrypted data, so there is no case to answer" then I suggest we all follow it very closely.

  • by kylemonger (686302) on Saturday June 26, 2010 @03:17PM (#32703950)
    The FBI can't crack it, true, but crypto is rarely the weakest link. Can you prevent the FBI from installing a keylogger on the computer you use to access the drives? Can you prevent them from installing a camera somewhere that records your keystrokes, or records your computer screen? It sounds like they moved on this guy too soon. If you need a brick of encrypted data to make your case against a white collar criminal, that's just lazy police work. If you build enough of a case against him beforehand, he'll give you the key as part of a deal to reduce his jail-time. Then you can use that data to go after the next leve of baddies.
  • Weakest link? (Score:4, Insightful)

    by Alwin Henseler (640539) on Saturday June 26, 2010 @03:18PM (#32703952) Homepage

    No, AES has been independently vetted and attacked by multiple security organizations. The only flaws that have been discovered in the algorithm are minor and inconsequential.

    That only matters if the implementation used doesn't have any important flaws. And a password wasn't stored anywhere by accident or 'overlooked mechanism' (caches etc). And the chosen keylength was enough to make brute-force attack unfeasible. And nobody else has/leaks password.

    They don't have to crack a tried & tested algorithm, they only have to find the weakest link. Surely there's many links, most of those weaker than the algorithm itself.

  • Re:Wrong Agency (Score:3, Insightful)

    by marcansoft (727665) <hector@marcans[ ].com ['oft' in gap]> on Saturday June 26, 2010 @03:23PM (#32703980) Homepage

    Hard drive encryption has nothing to do with public-key encryption, much less public-key encryption using smallish keys (by today's standards, 1024 is practically insecure).

    Symmentric encryption keysizes are not comparable to public key encryption keysizes. 128-bit AES keys are unbreakable today, and 256-bit keys are just healthy overkill.

  • by Anonymous Coward on Saturday June 26, 2010 @03:25PM (#32703992)

    Your comparison to quantum computing is dead wrong. Quantum computers are not currently known to be useful for brute forcing any algorithm.

    The only reason they are useful for breaking things like RSA, is that we have large number factoring algorithms that work on quantum computers (Shor's algorithm). RSA was known to be vulnerable to large number factoring from the moment it was designed. In fact, as a one way encryption function, that's part of it's design. We assume that problem to be "hard", but with large enough quantum computers we can make it "easy". Brute forcing RSA was never considered as factoring the modulus is already more than an order of magnitude easier.

    AES does not rely on a one way mathematical function for security, so talking about quantum computers breaking it is just silly. Weaknesses in the algorithm itself are the biggest threat to it. Your points about entropy per character are also rather silly as that's an implementation issue and has nothing to do with the AES algorithm. Also for the record, the character set of all keyboard enterable keys is about 6.6 bits of entropy with a random distribution. No idea where you got 4.24 bits from, but even random lowercase letters alone have more entropy per character than that.

    assemblerex's point remains valid. Until computers are build from something other than matter, or occupy something other than space, it is unlikely that we will be "brute forcing" 256-bit keys.

  • Re:He's a BANKER! (Score:1, Insightful)

    by Anonymous Coward on Saturday June 26, 2010 @03:29PM (#32704008)

    Protogenes Queiroz is a jerk trying to make a name for himself in the Federal Police. He's a former Federal Police marshal due to it.

    All he wants is to make a political career out of it. Dantas was one of the best in the field in Brazil but fucked himself up in a power struggle over the control of Brazil Telecom, a major Brazilian telecommunications carrier, with the Telemar, another carrier. Telemar has backing the Da Silva government for a long time and the government was just happy to allow Queiroz to make a mess out of the case.

    Telemar invested USD 20 million in a company run by the Da Silva son. Also financed the movie Son of Brazil telling the story about the President life. If this isn't bribery, I don't know what is.

    Any judgement in the Supreme Court is done by a random member of it, including the Court President. If you got any evidence the random choice as biased to make to the Court President you should call a newspaper because you got a major scandal.

    Let Dantas free and put the mafia who runs the Brazilian government in jail.

    Brazil is just a backwards banana republic. I'm longing to get a away out of this hellhole.

  • Re:Wrong Agency (Score:4, Insightful)

    by gweihir (88907) on Saturday June 26, 2010 @03:37PM (#32704066)

    If the passphrase has more than 256 bits, brute-forcing it is less efficient by a fair margin, than direct guessing. On the practical side, passphrase guessing likely becomes very expensive for something like 50+ bits of entropy with a good key-setup. Keep in mind that the key-setup may make you work for, e.g., 1 sec of CPU time per guess. With 50 bits, that is (assuming an EC3 small unit for simplicity) around 25 Billion USD for the crack. For every 10 additional bits, add a factor of 1000. With this money, you can built special-purpose hardware, but incidentally, that is likely only going to be faster but not cheaper.

  • Re:Wrong Agency (Score:4, Insightful)

    by gweihir (88907) on Saturday June 26, 2010 @03:40PM (#32704078)

    Not never. Given enough time and CPU cycles, anything stored locally can be cracked. It's just a matter of how long you want to wait.

    Wrong. There is a finite amount of matter and energy (and hence computing power) in the universe. With AES 256 these limits are already very close and possibly exceeded.

  • Re:US Laws? (Score:3, Insightful)

    by FrankSchwab (675585) on Saturday June 26, 2010 @03:55PM (#32704184) Journal

    And yet, the Government of the US, lead by the President of the US, fought a battle all the way to the Supreme Court of the US, arguing that they had the right to detain US citizens indefinitely without recourse to the courts simply because they called the citizen a name - "Terrorist" and "enemy combatant".

    And the courts of the US haven't yet issued a ruling that this is against our precious constitution. Nor has our president, running on a platform of change, spoken out against this travesty:
    http://en.wikipedia.org/wiki/Jos%C3%A9_Padilla_(prisoner) [wikipedia.org]
    http://www.foxnews.com/story/0,2933,506265,00.html [foxnews.com]

    So, if a Police official steps up to you, and says "I think you are a Terrorist and an Enemy Combatant; please give me your encryption keys to prove your innocence", your refusal means indefinite detention in a military detention facility, subject to military interrogation methods which include those which we ourselves have called war crimes:
    http://www.washingtonpost.com/wp-dyn/content/article/2007/11/02/AR2007110201170.html [washingtonpost.com]

    A piece of paper protects no rights.

  • by stonewallred (1465497) on Saturday June 26, 2010 @04:12PM (#32704334)
    If waterboarding is not torture, then you are willing, I presume, to undergo it for two or three days? If not, fuck you.
  • by fm6 (162816) on Saturday June 26, 2010 @04:13PM (#32704342) Homepage Journal

    Learn to read. TPP didn't say it was legal. Read the text you yourself quoted.

    Coerced evidence is illegal almost everywhere. And it ends up being used almost everywhere, because it's really hard to prove coercion.

  • Re:Wrong Agency (Score:4, Insightful)

    by Bengie (1121981) on Saturday June 26, 2010 @04:15PM (#32704358)

    A password based on a phrase where you substitute 3-4 letters for a few special characters and insert 1-4 extra characters into the middle of a word as to mess with the length, would be about has hard to break as the AES key itself. This would be an easy to remember password that would only take a few seconds to type and would render dictionary attacks useless.

    "a large distributed attack should be able to 'crack' it with much less difficulty than reversing the AES itself"

    Of course brute forcing a 256bit key could take 1,000,000,000,000 computers that could do 1,000,000,000,000 AES comparisons per second(aka, about 32,768 cores at 3ghz) about 1.8e+42 millennia. So, by "much less", so you mean to reduce the effectiveness to 1/10^42(0.00000000000000000000000000000000000000001%) would only take those 1 trillion 32k core 3ghz super computers 1000 years to break.

    Assuming this person used a semi-decent password, the only way to get around this would be torture, key got cached/written down, bugged his keyboard, or general luck.

    Fun fact told to me via a PHD in encryption. A 256bit symmetric algorithm that has no work around (AES has flaws that reduces its effectiveness) and using computers so efficient that it takes the theoretically smallest amount of energy to flip a bit, would on average consume most of the energy in the known universe to break a single key. (Think consuming all the stars in the Milkyway galaxy just a start)

    "It is not crazy to think that the NSA could have this capability." I would say overly optimistic.

  • by keeboo (724305) on Saturday June 26, 2010 @04:23PM (#32704388)

    I'm guessing there's laws against it in the U.S. too, that didn't stop them. What makes you think they're beyond it in South America? The fact that you live there, perhaps? Quite narcissistic, but that seems to be the norm for Brazilians.

    It seems that, in your opinion, all south american countries are barbaric lands where no laws are to be taken seriously.
    That's incredibly arrogant of yours. Because of things like that, the rest of the World put all US citizens (including the good ones) in the same basket and call them assholes.

    Even you completely disregard the morality (or immorality) of laws, good/bad/weak/silly laws are to be enforced and there are practical issues:

    If they torture the guy in order to obtain the information, the next day that bastard will make a public scandal, cry his human rights were violated etc, and his lawyers will invoke every conceiveable law and the process will stall, badly.
    Then his lawyers will spread doubt about any other evidence previously collected. They will make a party out of it and, in the end, the guy may be considered innocent.

    So, even if you're willing to torture the guy, it's not practical.

  • Re:Wrong Agency (Score:2, Insightful)

    by snowraver1 (1052510) on Saturday June 26, 2010 @04:28PM (#32704432)
    You have no idea what you are talking about, do you?
  • In other news (Score:2, Insightful)

    by mysidia (191772) on Saturday June 26, 2010 @04:51PM (#32704584)

    The FBI has not solved the P=NP problem, either

    Or implemented practical cold fusion

    Or developed a practical AIDS vaccine

    Or found the cure to cancer

    Or solved world hunger

    Or stopped the oil spill

    They failed to do all these things.

  • by Anonymous Coward on Saturday June 26, 2010 @06:01PM (#32705038)

    > But the constitution as it stands, does not allow the authorities to compel a suspect to produce the files.

    The Constitution may not allow it. But these days, they simply violate it and blame the terrorists for making them do it.

  • by Anonymous Coward on Saturday June 26, 2010 @06:29PM (#32705256)

    The laws were made as they always were. To protect the rich, powerful, and well-connected. Preferably whiter and male. And to damn the poor and duskier. And more female.

    And to fatten, empower, and privilege all members of the judicial system.

    The poor, better-melanized and female are - for all intents - railroaded. Those who have money including drug gangsters - keep afloat as long as they have anough money to feed the judicial system and bribe everyone else, and don't run afoul of "greater interests".

    Brazil has about 5000 families that "own" about 40% of the gdp. Only ~2% of the population makes more than about U$1200 a month. Another 40% of the gdp is taken up by taxes of all sorts. The remainding 98% of the population is just as unequally distributed. And scrabbles for for the remaining 20% of the gdp. That's about 180 million people disputing the gdp of, I think, Latvia. Or so.

    And banks and big corporations - ultimately owned by foreign capital - are ultimate and sacred. Like BP is, in the US.

    Each one of them is - in practice - a different "country". With it's own laws, powers, treaties, systems, authority, sovreignity, and autonomy.

    The common folk get milked, and railroaded. As the system - and the laws - were designed to do it.

  • Re:weird (Score:3, Insightful)

    by swilver (617741) on Saturday June 26, 2010 @06:42PM (#32705336)

    That would mean that a truecrypt volume is distinguishable from random data?

  • by Anonymous Coward on Saturday June 26, 2010 @08:01PM (#32705746)

    hat's all nice and stuff, but many people (myself included) believe that they went too far and, basically, criminals are being treated like defenceless babies.

    Fuck you. No, really...fuck you.

    It is not possible to go too far in that direction. You take away just enough rights to prevent an anarchist nightmare, but no more. It's still evil that we must take away those rights, but the few assholes who want to hurt others for personal gain make it necessary to do so. Still, it is always very, very important that you're always aware that every law, regardless of how well-intentioned, causes you to slide a bit more into the slippery slope towards tyranny. So, when absolutely necessary in order to protect your society's way of life, you do it. Never do it just because some people are getting away with things you don't think they should...the price you're paying isn't worth it.

  • by Jane Q. Public (1010737) on Saturday June 26, 2010 @09:08PM (#32706058)
    I have posted this a number of times, so pardon the repetition. But it is surprising how often this comes up:

    "That it is better 100 guilty Persons should escape than that one innocent Person should suffer, is a Maxim that has been long and generally approved." -- Benjamin Franklin
  • by bill_mcgonigle (4333) * on Saturday June 26, 2010 @10:47PM (#32706494) Homepage Journal

    If waterboarding is not torture, then you are willing, I presume, to undergo it for two or three days? If not, fuck you.

    Anything specific for three days is torture. Bad test.

  • by bill_mcgonigle (4333) * on Saturday June 26, 2010 @10:53PM (#32706512) Homepage Journal

    and then under threat of water boarding, hand out the duress password.

    But what about the third password they want? What do you do then?

    Turtles.

  • by Anonymous Coward on Sunday June 27, 2010 @12:27AM (#32706890)

    Forcefully clogging a prisioner's airways with liquid is torture.

    BTW, US Army physicians that participated in might find themselves under aim of medical oversight boards, both in America and internationally. Apparently, some kind of investigation is under way, as physicians are forbidden by international treaties to participate or help in any way or form in the abuse of prisioners (which includes checking if they're alright, in order to withstand further abuse).

    Isn't awful that the USA tortures and that the UK demands passwords (i.e.demands that someone under custody of the State produce proof against oneself)?

    Apparently, however, Brazilian constitutional law hasnt forgotten the lessons learned from courts elsewhere.

  • by MartinSchou (1360093) on Sunday June 27, 2010 @04:34AM (#32707752)

    Anything specific for three days is torture. Bad test.

    Really? So you'd be unwilling to suffer through "The Comfy Chair [youtube.com]" for three days? I sincerely doubt that'd qualify as torture by any stretch of the imagination.

  • by Jane Q. Public (1010737) on Sunday June 27, 2010 @04:53AM (#32707794)
    First, there is nothing "Left-Wing" about what he wrote. At least not by American definitions. The principle of which he writes is one of the principles behind our own Constitution, which (by our standards) is neither Left or Right. Please see the quote from Benjamin Franklin that I posted above. And given that it precedes the Brazilian equivalent, I think there is argument for precedent of definition.

    Nevertheless, what you describe appears to be a situation of what we might call "too much freedom", with the resulting (relative) anarchy that it entails. (And that is very far from any kind of "left-wing" ideal.) And as with any system with relatively weak criminal laws that does not also offer legal protections to the innocent, the physically powerful (i.e., those who accumulate, and are willing to use, force) will tend to dominate.

    Even so, you should be aware that many Americans, having suffered for almost 10 times the number or years the Brazilian constitution has existed the constant expansion and increasing oppression of their Federal government, would probably give a lot to trade relative positions with you. As long as they could bring their own guns.

    No, we have not experienced your particular problems. At least not in this decade. But then, neither have you experienced ours. And make no mistake: ours are real, too. I have stood up in government meetings and vocally opposed politically popular but unwise laws. I have personally opposed police who were breaking the law for their own benefit. I have placed myself between criminals and innocent people they were trying to victimize.

    The poster who insulted you may have misunderstood your situation, and judged it based on his own. But misunderstanding OUR situation, and judging it based on your own, is equally out of line.

Take your work seriously but never take yourself seriously; and do not take what happens either to yourself or your work seriously. -- Booth Tarkington

Working...