The Law: Your computer *cannot* be used against you...

...if you encrypt your files. I read this article and immediately thought of the ATS community and our issues with privacy, or the abuse thereof.

The 5th Amendment says, in part, that no person “. . . shall be compelled in any criminal case to be a witness against himself. . . .” Thanks to this decision our computers are not necessarily witnesses against us as well.

The story
The defendant, a John Doe, was accused of possessing child pornography. He was ordered to produce the unencrypted contents of his notebook hard drive and an additional 5 external drives. Mr. Doe, representing himself, refused, citing the 5th.

The U.S. Attorney then requested limited immunity from the district court for Mr. Doe, which did NOT include using the drive’s contents against him in a criminal prosecution. Mr. Doe again refused to decrypt the drives he was found in contempt of court and jailed. He appealed.

Mr. Doe spent almost 8 months in jail before his appeal succeeded.

Source (it's a good read, I recommend it): www.zdnet.com...

In a world where it seems like more and more of freedoms are taken away, here's sliver of good news about our privacy. And while the case itself involves child porn, it's the spirit of the law that allows anything we do on our computers to remain private, as long as it's encrypted and the government can't break it.

Here's how the court came to its decision:

In Mr. Doe’s case, the court held that the decryption would require the use of the contents of his mind and is not simply a physical act, like handing over a key to a safe. Furthermore, the fact that the government did not know - could not know - whether any files were on the hard drives, meant that they failed the “reasonable particularity” test too.

The court then noted that if Mr. Doe had been given full immunity they could have compelled him to produce all the contents of the drives. But since they didn’t, the 5th Amendment offered him more protection and thus his use of it was justified.

So here's my question: What about the password to get onto your machine, your log-in password? Without that, everything is (or should be) inaccessible to interested parties, so can't you simply say "no" if law enforcement asks for that password - tell them it's your protection under the 5th amendment not to share it.

For those that want the direct source of the opinion piece submitted to the Court of Appeals, 11th Circuit: www.ca11.uscourts.gov...

Note also that Mr. Doe - a lawyer I’m guessing - won, but only after 8 months in jail and the related loss of income. Defending our rights is rarely easy, which is why they erode.

reply to post by Jason88

In brief answer to your question, if your drive is NOT encrypted and I connect it to another machine as a secondary drive, all data on your drive is accessible to me, everything. Hope it helps.
ETA I need no password of yours to access the data. I'm accessing it from an already installed and running machine, not using your OS/user account at all.

No, it is way too easy to get past the initial login screen on any computer, that is not encryption or anything, you can bypass that pretty quick.

One would have to actually encrypt the drives and password them in order to use the 5th amendment in that respect. Just interesting information, windows 7 ultimate comes with built in HD encryption at your disposal.

I have nothing to hide,
But i still do it anyways. Even my phones SD card is encrypted ;D

Interesting...trying to figure out the overall scope of this.
So, password protect your harddrive and its off limits...but what if they break the encryption on their own?

What about information that may threaten national security? Would it still be covered? I think things that are determined to be a thread to nat-sec have their rights basically waved.

This may cover petty crimes such as that, piracy, etc...but like, terrorists sharing classified information...I think those are a higher echelon of crimes, therefore may not be safe. So, ya...all is good, unless your planning on overthrowing your government..in which case, this may not be applicable.

Mr. Doe spent almost 8 months in jail before his appeal succeeded.

I think this was done on purpose and rightly so. Constitutional rights win, and the guy ended up serving almost a year. Not bad when many don't even get jail time.

You can also get programs that will wipe your harddrive at the click of a button. as in DOD kind of wipes. Blanket the drive in 1s, then 0's, then 1's again.

Or you can microwave it.

But thats only if you have things to hide, like terrorist suspects do, and other high echelon crimes. I guess national security would be a different story, but if you catch some evil person, chances are they will die before revealing their password.

So setting the log-in password is not good enough because if law enforcement seize your machines they can pretty much crack it, right? It's easy(ish) to do. But, if you take the time to encrypt your files then the law cannot ask you to reveal it, but they can attempt to crack the information on their own.

Interesting from a privacy standpoint. But as others have mentioned it depends on the echelon of the crime, but while child porn is not a terror threat, it still ranks up there as dangerous and despicable.

Originally posted by Jason88
So setting the log-in password is not good enough because if law enforcement seize your machines they can pretty much crack it, right? It's easy(ish) to do. But, if you take the time to encrypt your files then the law cannot ask you to reveal it, but they can attempt to crack the information on their own.

Interesting from a privacy standpoint. But as others have mentioned it depends on the echelon of the crime, but while child porn is not a terror threat, it still ranks up there as dangerous and despicable.

Yep, thats how it goes. Its easy to circumvent the log in screen, you can go into safe mode, you can take the HD out and put it in another computer, you can use programs to autocrack the login screen because the password for that login screen is saved in the registry of the computer. They do it like that because of the functionality that has when it comes to using lots of machines on a network and such, and nothing annoys me more than someone who wants me to fix their computer and they don't tell me the password to get in to it. So i crack it. Has to be done. =P

So yeah, it would have to be drive encryption because it will then encrypt the whole drive into something that cannot be read from an external source. Imagine a regular drive full of crap, images, music. Its a mess. But if you look at an encrypted drive. You only see one giant chunk of space, you cant see whats in it, its clean and not messy like a regular drive. And you can't see inside of it without the proper credentials, which can be anything you want really. You can do passwords. You can do thumb scans. (my laptop does that, its awesome!) and if you wanted to and had the money you could use retinal and facial scanning to access the drives =P

Saying NO just makes their lives a living hell, because then they have to attempt to decrypt the drive.. Most encryptions are crackable, it just takes time, sometimes too much time.

reply to post by AzureSky


I learn something on ATS everyday. Thanks for clarifying that.

I don't have anything to hide, but areas of the 5th Amendment fascinate me. So now that because "your mind" holds the password that would lead to incrimination, it can be construed as testimony against yourself so therefor the 5th Amendment applies.

You mention other types of encryption - thumb scan, iris scans, face scans (I have that one on an old machine); since those are not in "the mind", I wonder if the court can compel a defendant to unlock that material?

Originally posted by Jason88
reply to post by AzureSky

 

I learn something on ATS everyday. Thanks for clarifying that.

I don't have anything to hide, but areas of the 5th Amendment fascinate me. So now that because "your mind" holds the password that would lead to incrimination, it can be construed as testimony against yourself so therefor the 5th Amendment applies.

You mention other types of encryption - thumb scan, iris scans, face scans (I have that one on an old machine); since those are not in "the mind", I wonder if the court can compel a defendant to unlock that material?

If they offered a deal or a reduced sentence i think a smart person would relinquish whatever is on their drives. But the 5th amendment would still apply in those instances too methinks.

You dont have to testify against yourself. That would include thumbscans, iris scans, and etc. One would -think- anyways, i haven't heard of any news about them making someone do it lately.

reply to post by Jason88


Does anyone know a comparison to the fifth amendment for Australia? I would love to quote the 5th - but as far as I know we don't have anything similar in Australia.

Yep, I have a cd in my bag right now that I can boot off and change your admin password or any password for any user. I need it doing IT work because you would be amazed at the businesses out there that can't come up with and admin password to their server that needs work. It’s the only way to get things done really if you’re relying on someone to find the password. Encrypted hard drive is another matter, but it depends on what encryption you use. Most commercial encryption used in the US has a LEAK, or Law Enforcement Access Key. That is why I use another privately programmed encryption. If it is sold on the market the law is it has to have a LEAK. I suspect many agencies do not even know this. To use the LEAK however, you have to get the 2 keys from two different intelligence agencies. Maybe they are more resistant to let law enforcement have the keys. I always wondered what kind of media the keys were written on; because I would think once they went out they could be copied somehow. The keys are must be returned to the agencies within 30 days or something along those lines.

Now, it has been awhile since I was into security, so things could have changed, but don't use micro junk or any commercial encryption technology if you want to be truly secure. Find a privately written algorithm.

Originally posted by Jason88
So setting the log-in password is not good enough because if law enforcement seize your machines they can pretty much crack it, right? It's easy(ish) to do. But, if you take the time to encrypt your files then the law cannot ask you to reveal it, but they can attempt to crack the information on their own.

A log-in password is only useful when there is no physical access to the machine in question (ie; the base unit of a desktop computer would be locked in a cabinet).

No law enforcement can crack a well secured hard-drive, not at least for another several thousand years at the current rates of computing power, if a strong enough cipher is used it could take them longer than the future life of the universe... seriously (thats if computers never advance any more)

Although, using hard drive encryption can be useless as it depends on how it is setup, and which operating system is being ran. For example, running a vulnerable system with hard-drive encryption is pointless as you can attack / recover the encryption keys via cold-storage attacks (for example pulling the power, ram isn't emptied properly, if done successfully you can access the encryption keys from ram). Aswell as having backdoor software on an encrypted system becomes useless aswell. Many things to consider.


There is also the question of full disk encryption, you would need to also enable encryption of temporary storage such as swap space (in windows this is the pagefile.sys on the C:\ drive), because in the event you run out of ram while the computer is in use, the machine will start swapping ram memory to the disk, and thus you will have unencrypted data easily accessible from the disk.

I wouldn't trust windows for disk encryption, i'm not even sure if it allows "full" disk encryption to be totally honest. All i know in regards to windows based disk encryption is that there are not many options available.

On Linux a common method is to setup a combination of an unecrypted boot partition along with a LUKS/LVM2 container that holds every other partition (home/root/var/swap) and use a key cipher along the lines of aes-cbc-essiv:512 which is currently classed as military grade encryption .

Good walkthrough for any linux users: slackware.osuosl.org...
(should work with small changes on any other 2.6.x+ based distro)

TLDR;
It's almost impossible for authorities to crack hard-drive encryption if it's done properly.
xkcd.com...

reply to post by AzureSky


Ha, you beat me to it. That is just the way it is.

It always amazes me that people think that the nasty people hide stuff on their computer.
If I was doing something bad I'd keep everthing on a usb stick, encrypted and buried in the woods.

While ANY pasword can be cracked, if the password is long enough it will take a supercomputer hundreds of years to crack it, thats why they ask YOU for it.

Make your password very long eg: P,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,word.
Really easy to remember but a real bitch to crack because its so long.

To crack a pword you have to start at A then B then C....
Then AA then AB then AC......etc

Because they dont know how long the pword is they have to start at the low end and work their way through all the possible combinations, thats why P,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,word would take hundreds of years to crack.

Doing something bad? dont keep it on your pc.

reply to post by VoidHawk


I have a cd that will wipe your password and replace it with the one I tell it to. For windows anyway. I don't mess with linux or unix much. No need to use brute force or dictionary attacks.

ETA: Your password is not required to replace it. It is a linux boot disk at that.

Originally posted by spirit_horse
reply to post by VoidHawk

 

I have a cd that will wipe your password and replace it with the one I tell it to. For windows anyway. I don't mess with linux or unix much. No need to use brute force or dictionary attacks.

ETA: Your password is not required to replace it.

edit on 8/3/12 by spirit_horse because: (no reason given)

Yeah, its just one of those tools we PC techs use.
When we can't get in contact with the customer, its faster to just crack the pass and be on your way

reply to post by AzureSky


lol, at least they know who to call for the password next time!

Originally posted by spirit_horse
reply to post by VoidHawk

 

I have a cd that will wipe your password and replace it with the one I tell it to.

I was talking about encryption, I should have made that clear Your cd would do nothing for that and you'd have no choice but use BF.