Use of Encryption Foiled the Cops a Record 9 Times In 2013 115
realized (2472730) writes "In nine cases in 2013, state police were unable to break the encryption used by criminal suspects they were investigating, according to an annual report on law enforcement eavesdropping released by the U.S. court system on Wednesday. That's more than twice as many cases as in 2012, when police said that they'd been stymied by crypto in four cases—and that was the first year they'd ever reported encryption preventing them from successfully surveilling a criminal suspect. Before then, the number stood at zero."
First post! (Score:5, Funny)
Rapelcgvba SGJ!
Re: (Score:1)
Rot14 (Score:2)
really confuses NSA.
I smell a rat. (Score:5, Insightful)
There are obviously thousands of people using encryption because they have a legitimate reason to hide something, and criminals also have something to hide, so it stands to reason that they'd also use encryption.
So why aren't there more cases of encryption impeding an investigation? Possibilities:
1) Only stupid people (who don't use encryption) are caught - yeah, not with numbers /that/ low;
2) The numbers are being deliberately under-reported;
3) A lot of encryption is breakable or has backdoors;
4) Most people under investigation have software planted on computers or hardware keyloggers.
Re:I smell a rat. (Score:5, Insightful)
5) Most crimes leave evidence that is not on the criminal's computer.
Re: (Score:2)
You forgot:
5) Most crimes leave evidence that is not on the criminal's computer.
or
6) The encrypted cellphone is thrown into the evidence bag and never looked at again because the arresting officer couldn't get it open.
I'd think it would be pretty rare that the police knew there was something encrypted that could help their case and just couldn't get to it. In most cases the encryption not only protects the data, it also hides its existence all together.
Re:I smell a rat. (Score:5, Insightful)
> 6) The encrypted cellphone is thrown into the evidence bag and never looked at again because the arresting officer couldn't get it open.
Beat me to it. I'd put it more generally as "the police were stymied by encryption 2,316 times last year, but only recognized the fact nine times".
Re: (Score:2)
Re:I smell a rat. (Score:5, Insightful)
that oblig xkcd comic about a heavy wrench defeating encryption is more likely.
"we'll drop the sentence to 1 year in prison if you give us the keys, or you can fight us, and we'll go for 25 to life."
(protip: the wrench can be a metaphor)
Re: (Score:1)
"Eat shit, motherfuckers. If you had me on charges with that kind of sentence potential, ya wouldn't NEED my keys. Wuddya, think I'm stupid?"
Re: (Score:2)
Which, if this chain of thought is correct, leads to the conclusion that in those 9 cases, either police were NOT corrupt (and so could be foiled) or were corrupt, and wanted to be foiled.
I'm not sure that the chain of thought is correct. In some areas --Illinois for example, I would expect it to be.
Re:I smell a rat. (Score:5, Informative)
9 times out of 10, someone trying to crack your encryption is not going to be someone who is able to use that amount of leverage. Most likely they are going to subversively copy your data, or
As far as I am concerned, I don't need my encryption to completely uncrackable. If all encryption does is provide tamper evidence, and doesn't allow undetectable snooping I am OK.
Also, ability to crack encryption in an investigation/forced to decrypt for trial, is not the same as undetectable mass survailence. If all encryption does is force cops to go back to needing warrants and subopeanas, and due proccess, I think its done its job quite well.
Re:I smell a rat. (Score:4, Informative)
> 9 times out of 10, someone trying to crack your encryption is not going to be someone who is able to use that amount of leverage.
It's not about having that kind of leverage. In an interrogation, a cop is not required to tell you the truth. Never forget that.
Re:I smell a rat. (Score:4, Insightful)
"It's not about having that kind of leverage. In an interrogation, a cop is not required to tell you the truth. Never forget that."
It doesn't matter what the cop says, YOU have to shut your mouth.
Don't talk to the police, ever!
It can only hurt you.
Re: (Score:3)
Here's the legal argument for not talking to the police: https://www.youtube.com/watch?... [youtube.com]
Re: (Score:3)
Still, you're definitely supposed to talk to a legal representative prior to talking to Police in any jurisdiction.
Re: (Score:3)
Well, How about (for real) a body was dumped in front of my house. They asked "Hey, we know that at 10:30ish this body was dumped in front of your house, did you happen to see the car?" (there were whiteness to the kidnapping a few miles away). Of course I told them what I knew "Nope officer, didn't hear/see a thing till I looked out the window and saw a bazillion flashing lights, sorry" "OK, Thanks"
Re: (Score:1)
EEEEK! Another authoritative IANAL pronouncement about the law.
Here's the correction: A cop is required to tell you the truth IF the falsehood materially prejudices the suspect. There's a famous case in which cops drove a suspected serial killer around in a car and tricked him into revealing the location at which a victim's body was buried by lying about catastrophic effects upon the victim's family. The resulting conviction, based largely upon discovery of the body, was overturned on exactly this ground
Re: (Score:2)
most of the time its going to be stuff they either steal or copy, without letting you know who's taken it, and they are most likely not going to do anything to you to get the passwords/keys.
uncrackable encryption protects against this.
You can use rubber hose cryptography on one person. You can use rubber hose cryptography on a handful of people.
You cannot routinely beat people for information, with anything other than a fairly obvious hard police state that would make it impossible
Re: (Score:3)
What is the punishment for refusing to hand over keys? In the UK it is only 2 years, so if you are accused of anything with a longer sentence or some other punishment like being on the sex offenders register you might as well take the two years. Also, "I forgot" is supposed to be a valid defence, unless they have evidence beyond reasonable doubt that you didn't forget, but I wouldn't rely on that.
Re: (Score:3)
I think relying on "I forgot" is probably a good strategy if you have nothing to lose.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That's why the "bug" I submitted should be fixed: https://bugs.launchpad.net/ubu... [launchpad.net] ;)
Re: (Score:2)
Re: I smell a rat. (Score:1)
Re: (Score:2)
But that's why this "vulnerability" should be fixed:
https://bugs.launchpad.net/ubu... [launchpad.net]
Imagine if by default if you don't uncheck a checkbox a popular distro has full disk encryption enabled and/or creates an encrypted container.
Then they can't use the "wrench" on everyone that happens to have that distro, because it really is very plausible that the person doesn't have the keys to the container.
As for the arguments against it - if you're in a country where they are still willing to use the "wrench" on someon
Re:I smell a rat. (Score:4, Informative)
There are obviously thousands of people using encryption because they have a legitimate reason to hide something
My hard drives are encrypted simply because my entire life is on them and I'd rather not have everything you need to steal my identity fall into the hands of whomever broke into my house and stole my PC. I take similar precautions with physical documents that could be used to the same end. My SSA card and Passport are kept in the Safe Deposit Box except when needed, other forms of ID are always kept on or near my person, so they're not apt to be stolen in a burglary.
I don't know or care if LUKS and Truecrypt are secure enough to resist access by a well resourced and competent government agency. They provide ample security for the threat vectors that I care about.
Most people under investigation have software planted on computers or hardware keyloggers.
This, along with other side channel attacks (social engineering, or even simply guessing the password, remembering that most people use easily guessable passwords) is the most likely explanation. If the United States Federal Government has ways of breaking modern ciphers they're not going to throw it away to secure mundane criminal convictions.
Re: (Score:3)
I read somewhere of a type of safe called a "burn safe". If opened improperly, it destroys the contents. Apparently used for very sensitive physical documents.
Of course, you should probably have backups somewhere, probably in a different burn safe geographically distant.
Re: (Score:2)
Backups in a stainless steel cylinder welded shut dropped in 50 feet of water and the GPS coordinates memorized.
Re:I smell a rat. (Score:4, Insightful)
Personal content (Score:2)
I've got an encrypted volume on my main box that's got stuff I'd rather not my family members/wife/friends get into. It's nothing illegal, and it's not something that would end in a divorce if she did see it, just a collection of stuff I'd rather not share with the world. Since I have people over for LAN parties and share out drives on occasion, making sure such files are in an encrypted container ensure that even if I accidentally gave them access to the wrong place, they won't be snooping around my stuff.
Re: (Score:1)
Nine times. [youtube.com]
Re:I smell a rat. (Score:5, Insightful)
>
> have a legitimate reason to hide something
>
A person does not ever require a "legitimate reason" to use encryption. A person can transmit information in any way he may see fit or in any way he may simply desire without needing a reason or explanation.
If I want to strongly encrypt a cooking recipe that I email to my grandmother, then it is my business and my business alone.
The point is that criminal intent or any other intent cannot/should not be inferred solely from the act of encryption.
Re: (Score:2)
Re: (Score:2)
If I want to strongly encrypt a cooking recipe that I email to my grandmother, then it is my business and my business alone.
And your grandmother's business too, assuming you want actually communicate that cooking recipe to her.
Re: (Score:2)
5) People use encryption in an insecure manner.
Re: (Score:1)
6) The cases were prosecuting other police, people of power or government entities the police didn't 'really' want to prosecute.
In that case, perhaps a simple ROT13 is enough 'encryption' the police cant break the hard drive and get the evidence.
Re: (Score:2)
10, 100, 1000, 10000, 100000ooooo..........
99.99% video camera. 0.01% go around it (Score:2)
I'd think at least 99.99% of cases don't involve the suspect using their computer at all. One of the most common crimes is using a stolen checkbook or credit card, in a brick-and-mortar store. Thefts might be solved by looking at the store's security video, etc.
In the rare case where you're interested in an encrypted file, you can normally go around it. For example, if you wanted to prove child porn, the cached thumbnails that most image viewers create work just fine. Someone sending instant messages enc
Re: (Score:2)
The headline should really read: (Score:3)
"UK Government / celebrated top-notch British mathematicians create encryption that's still fit for purpose decades after their death."
An encryption scheme that can be cracked by teenagers, camels, mathematicians, governments, police, military or the guy down the road? Not an encryption scheme. Certainly not one for large-scale deployment in public security projects.
Works as intended. The fact that it may, unfortunately, be a tool used by miscreants as well as law-abiding citizens is an unfortunate side-effect, like hammers being useful for smashing windows AND doing carpentry.
Scare tactics (Score:5, Insightful)
Public opinion needs to be turned against anything (such as the bill of rights) that could hinder the authorities.
Re: (Score:2)
That isn't necessary. The sheeple are already conned into believing that the bill of rights enumerates all rights of the people and the government has the power to regulate anything not on the list as well as some particulars of things that are listed.
Re: I must be getting old (Score:1)
Yay exponential growth! (Score:3)
At this rate we should have full encryption in no time!
Re: (Score:2)
OVER 200%! (Score:1)
Just wait until someone tries to spin this as an increase of over 200%, and therefore is a great and looming threat that we need to crack down on.
Criminal hippies (Score:1)
So, in 2013 there was a record 9 cases where criminals used FOSS?
Correction...That you know of... (Score:3)
Bollocks. The only difference between today and the past is that you can easily see an encrypted file, you can know it's encrypted, surmise it's probably got something juicy, and just be unable to break in.
It has the exact same effect as a lot of low tech stuff. For instance, memorizing a secret note than burning it would also leave no trail for law enforcement to follow. As would a secret conversation a thousand years ago you can't overhear because there was no listening devices around back then.
Therefore, I would suggest that actually finding encrypted files law enforcement cannot break into is actually an improvement.
Re: (Score:1)
The only difference between today and the past is that you can easily see an encrypted file, you can know it's encrypted
Huh? Modern ciphertext is indistinguishable from random noise. Some implementations leave behind clues (i.e., Truecrypt containers are always divisible by 512 bytes), and of course the user can give it away ("KIDDIE PORN COLLECTION.TC" <--- Probably not the best naming scheme) but I'm not aware of any foolproof method to concretely identify an encrypted file as such with modern implementations.
Re: (Score:2)
Er, if you find a file whose contents seem REALLY random, you can be pretty goddam certain that it's encrypted. Even binary files practically always contain valid strings in the header - database files, exes, mpegs, jpgs, etc, etc.
Re: (Score:1)
"Pretty goddamn certain" != "beyond a reasonable doubt"
Can you tell the difference between 1,024 MB of /dev/random and 1,024 MB of Truecrypt container? I didn't think so....
Re: (Score:3)
No but I'm also going to be somewhat surprised if someone has a bunch of 1,024 MB blocks of /dev/random on their hard drive. Well I guess a few statisticians might.
In practice odds are I simply don't care. Most criminals leave far more evidence than the police actually need to get a conviction. If I can't open a file with one click I'm going to go back to looking at your bank statements for interesting payments.
Re:Correction...That you know of... (Score:4, Funny)
I prime all my drives with GNU shred since its PRNG is faster than /dev/random and good enough for creating background noise. I've considered writing a program that exhibits statistical anomalies such as Benford's law [wikipedia.org] or randomized MPEG blocks for kicks. Or maybe even valid MPEG encoded noisy frames of Goatse zooming in repeatedly.
"shock sites" (Score:1)
Now *that* would be amusing. Dual-container encrypted volume. The easily cracked volume containing a few years worth of stuff collected from various shock sites.
Heck, no need even for dual encryption. Just make it something with an attention-getting name with an easy password stored in a place that curious inlookers could be easily trolled...
Next time one of those "This is Microsoft, your PC is sending a virus" calls come through, I should share out a VM with one of these and a container marked "banking inf
Re: (Score:2)
If that was really true then why does this article exist?
It's clear something is encrypted because you have to have it clear the file system should not overwrite and the markers make it quite clear that it's not just random noise. Even more clear is if you open up a computer you know should be working but it asks for a password to decrypt the hard drive.
Re: (Score:2)
It's clear something is encrypted because you have to have it clear the file system should not overwrite and the markers make it quite clear that it's not just random noise.
Sometimes encrypted data is stored inside a container that makes it clear that it's encrypted. However, that isn't always the case. If I run "dd if=/dev/urandom of=file count=2K" then I have one megabyte of data that won't be overwritten by the filesystem, but there is no way to tell from the contents whether it's encrypted or random noise. If it were encrypted, the only way to prove it would be to find a key that decrypts it into something intelligible. The problem in this case is that it's obvious that th
Re: Correction...That you know of... (Score:2)
This is a big reason why I think SETI-type programs are doomed to fail. If it would be hard to tell the difference between encrypted data and random data, how much harder would it be to tell the difference between an alien encryption scheme and random noise?
Re: (Score:3)
"This is a big reason why I think SETI-type programs are doomed to fail. If it would be hard to tell the difference between encrypted data and random data, how much harder would it be to tell the difference between an alien encryption scheme and random noise?"
If aliens want to communicate with us, they won't use encryption. They'll make it as easy as possible. (The'y'll probaly send a .DBF :-)
Or we just watch their 'I love Lucy'.
SETI isn't trying to break encrypted files from Space Nazis.
Re: (Score:2)
SETI is trying to pick up alien signals. These might not be "Hi there humans, we are here" messages. Instead, they might be more mundane messages that alien civilizations "leak" out right after they learn how to use radio signals to communicate. Of course, if they encrypt those radio signals (using a purely alien encryption sequence, of course), we might not be able to tell that encrypted data from random noise.
They'd be stumped more often (Score:5, Interesting)
Re: (Score:2)
Or, aleernatively... letting a few crimes go unsolved is part and parcel of an authoritarian police state.
Right now, we have on our 'unsolved docket' Lois Lerner, war crimes by US troops in Iraq, high treason by various top operatives violating their constitutional oaths and undermining the rule of law, thus aiding the enemies of the US, embezzlement by bankers who control the Fed, breach of fiduciary duty by BoA under the blackmail of Paulson that he would break the law... and now most recently high crimes
Re: (Score:2)
Err quite a while. The reality is that with enough effort the police can probably get you convicted of something. There are a lot of laws and you don't know them all. The last thing you want to do is make them look more closely at you.
Out of how many? (Score:2)
The headline is meaningless without also including the number of cases actually involving encryption. Looking at the article, that number appears to be 41.
From the police report... (Score:3)
Status: Unable to prosecute due to lack of evidence.
Reason: Suspect used full-disk encryption. Unable to persuade suspect due to lack of wrench availability.
ItsATrap (Score:4, Insightful)
With 90% confidence; I estimate this is a trap. Police can defeat encryption, no problem, usually by coercing the defendant. The reports by the police themselves are geared at getting tougher anti-privacy/anti-encryption legislation and giving bad guys a false sense of security. The feds could likely have broken the encryption, no problem, the issue at hand just wasn't important enough to reveal the capability. Pretending not to have the capability gives politicians better ammunition when improving state powers for legal surveillance, and for forcing the hands of software providers to secretly include specified backdoor tech.
when police said that they’d been stymied by crypto in four cases—and that was the first year they’d ever reported encryption preventing them from successfully surveilling a criminal suspect. Before then, the number stood at zero.
Re: (Score:2)
Re: (Score:2)
It's doubly a trap when those same companies, which have multiple backup systems on the emails, suddenly cannot recover anything following a series of six separate 'hard drive crashes' on RAID-7 systems, so that the IRS' evidence can no longer prove criminal intent by leaders of the government.
Leaving a 'rule of law' nation sucks.
Re: (Score:2)
suddenly cannot recover anything following a series of six separate 'hard drive crashes' on RAID-7 systems, so that the IRS' evidence can no longer prove criminal intent by leaders of the government.
I read the sections of The Internal Revenue Manual [irs.gov] pertaining to Emails as criminal records.
And I am personally convinced, that the IRS objective is malicious compliance; instead of creating a searchable permanent digital record of all employee e-mail, it seems they go out of their way to say "Preserve
Re: (Score:2)
Anything 'consumer' digital is a huge trap. From development, your input, encoding, transmission, decoding, display - so many layers and very tame access.
With sneak and peek lett
I was going to ask ... (Score:2)
what sort of encryption(s) were the cops unable to break - assuming that they were able to tell by looking at the files; failing that what were the ones that they succeeded in breaking? That might be useful as it would guide me in choosing which algorithms to use for encrypting my stuff.
Then is occurred to me that if the cops revealed it I must assume misinformation. They surely would not make their life difficult by telling me how to defeat them -- or would they answer the question honestly ? So: I could e
Encryption in the hands of a layperson (Score:2)
Is like a gun of an average NRA nut - totally useless for security, while advertising to the whole world that you want to get in trouble. These encrypted files on your hard drive have been transmitted over online services and shared with other people. It's far more convenient for police to get a warrant for online data and lean on those people than tinker with your computer. On the other hand, discovery of encrypted files that you are not willing to open is an excellent clue that getting these warrants and
Re: (Score:1)
Is like a gun of an average NRA nut - totally useless for security
You advertising your prejudices again?
Re: (Score:2)
Just cold, hard facts my friend. A gun will not make you or your family safer without police-grade training repeated on regular basis. As much as it appeals to your ego to think you are the next Rembo, all objective studies have found that adults are not able to effectively take out a gunman without endangering themselves and bystanders. And kids don't stay away from guns no matter what safety classes they attend.
What software? (Score:2)
Security Through Antiquity (Score:1)
rtfa, it's not as bad as it sounds (Score:1)
It's 9 uncrackable cases, out of 45 encryption-cases, out of 3500 surveillance cases. Sounds pretty good to me. Mostly they would probably get the info some other way, hence not needing to crack encryption.
Ermmm... what??? (Score:1)
Re: (Score:1)
It's not obligatory.