Schneier on Security
A blog covering security and security technology.
« Perverse Security Incentives |
| Shower Mirror with Hidden Camera »
March 2, 2009
Judge Orders Defendant to Decrypt Laptop
This is an interesting case:
At issue in this case is whether forcing Boucher to type in that PGP passphrase--which would be shielded from and remain unknown to the government--is "testimonial," meaning that it triggers Fifth Amendment protections. The counterargument is that since defendants can be compelled to turn over a key to a safe filled with incriminating documents, or provide fingerprints, blood samples, or voice recordings, unlocking a partially-encrypted hard drive is no different.
Posted on March 2, 2009 at 12:30 PM
• 94 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This is an excellent summary of the case from a respected legal scholar. It is interesting, but not that interesting. The government knows with absolute certainty there is child pornography on the computer. This is not a jack booted thug/tinfoil hat situation, it's a situation where law enforcement saw the child pr0n but powered down the laptop, restoring it to encrypted:
This guy clearly doesn't read your blog. If he had, he would have put his child pr0n on an encrypted thumb drive and told the border police he was delivering it at the request of a friend, and claim to have no knowledge of the encryption key.
Of course, he'd want to make sure to scrub the LAPTOP hard drive before even getting close to the border.
> The government knows with absolute certainty...
Anthropomorphism aside, it would be a valid defense to argue that media discovered by the agents was mistaken to be illegal. In this case, the Jury would be judging the senses and integrity of the Border Patrol agents, and not the evidence upon which this man was arrested.
There is a fair bit of uncertainty in this case, all sourced from a bungled confession. It may be better to acquit this man so as to motivate law enforcement to better codify their interrogation and archival procedures.
That's where the defendant wishes he had installed truecrypt and hidden partitions ...
PGP sucks since you cannot supply a false decryption key/passphrase and claim the decrypted files contain only random data generated from static noise!
"I cannot recall that password"
Might work, it's been more than two years.
What happens if he just says, "no."
It's not like he can be held indefinitely.
Whatever charges they can come up with for not typing in the password cannot possibly be worse than having a child porn pedo / sex offender charge hanging over him for the rest of his life.
"What happens if he just says, "no." "
If the order to input it was found to be constitutional, he would be in contempt of a court order, and tried for such. In this particular case, it might be better to be tried for contempt than for possession of child pornography.
If I remember right, refusing to comply with a court order carries a penalty of up to 2 years imprisonment... anyone correct me if I'm wrong.
@Devin: "If I remember right, refusing to comply with a court order carries a penalty of up to 2 years imprisonment... anyone correct me if I'm wrong."
Sounds accurate, but what he is being charged with probably would end him up jailed longer. Even if it was the same or slightly less, his name will be on the sex offender registry far longer.
I'm not sure a good answer. Even if you make them legally mandated to tell you, you can't prove they didn't really forget.
Probably need a good study and dialogue about how to address warrants for encrypted data. It isn't like a cabinet where you can get a locksmith or break the lock. Last thing I want is for laws to be passed that require a backdoor for law enforcement.
>> "I cannot recall that password"
>> Might work, it's been more than two years.
I suspect Boucher's under a bit of stress right now; another [reason|excuse] for forgetting things.
I didn't RTFM, but the comment referencing the govt's "absolute certainty" regarding the contents is questionable: sure, some agent SAYS he saw something before shutting the PC down, but does he have a picture of the PC? (and if he did, would HE be arrested? - but let's not go there)... without any physical proof, all we have is a he-said/she-said situation, and the fact that one side is a gov't agency and the other a suspected pornagrapher doesn't change the legal situation.
This continues to be an interesting case ...
Saying no is a gamble too. Can the governement get any kind of a conviction without decrypting the drive? Then he'd be looking at contempt plus time plus name on the registry.
The other interesting bit is the government saying they can link the contents of the drive to him by other methods and won't use his decryption as evidence. But they still need him to decrypt it. Why?
What an unusual confluence of circumstances. Border guards have more power than domestic police and can demand to search personal laptops/phones immediately and without a warrant, so there's that much greater incentive to just give it to them and not risk being detained(or beaten), rejected from the border, blacklisted from crossing the border again(absolute worst case scenario for a dual-US-Canadian, which I am), or tragically renditioned to a secret prison in a country that outsources our torture(a real worry if you're profiled as Middle Eastern). I don't see a way out of this dilemma, other than to never take any personal electronics across any border and instead store everything encrypted online. But as physical security will always be best, that's tough medicine to swallow.
IANAL, but from the perspective of our justice system "doing the right thing", this is extremely troubling, to apply boosted border search power and leverage it into trashing the 5th.
(And I'll completely skip the child-porn angle, as the common saying goes: "child porn is the root password to the Constitution").
Often in criminal cases they use a 'plea deal' with certain stipulations. For instance in this case they might say "Decrypt the files and we'll give you 18 months in jail (not prison) and 5 years probation." They use it often to save the cost of criminal jury trials which can involve many witnesses, documents and days of wasted time when everyone knows the person is guilty. They offer lesser charges and or punishment versus the likely results of a criminal trial. It may be a way to get him to decrypt the files to avoid a worse outcome. (People in prison don't play like people in jail. People in jail know they are going home.)
Did anyone read the next to last paragraph?
>An officer opened the laptop, accessed
>the files without a password or
>passphrase, and allegedly
>discovered "thousands of images of
>adult pornography and animation
>depicting adult and child pornography."
Animation of child pornography is completely legal in the U.S., so if that's the best claim the U.S. Attorney can make, it won't get out of the Grand Jury. They would need testimony of viewing images of real persons under the age of 18.
Very strange case, indeed.
2) Deniable volumes (such as a truecrypt volume within a truecrypt volume).
3) Does any encryption software offer a feature where if it isn't used within a certain amount of time, the passphrase expires and the volume becomes unrecoverable?
I'm not sure what the mechanism would be -- Maybe a web domain that stores half a private key and deletes it after a certain amount of time? Be an interesting thing to architect out, including very high reliability but no backup scheme that's recoverable outside of the expiration period.
what would be really clever is if by typing in a certain reserved password, the laptop would wipe it's drive, then unlock to reveal it had nothing but innocuous content.
@Matt from CT: "3) Does any encryption software offer a feature where if it isn't used within a certain amount of time, the passphrase expires and the volume becomes unrecoverable?"
I would think not, and I hope not, since that would be a security hole of collosal proportions. It's not difficult to fool a computer into thinking it is a different date than it actually is.
You could do close to that, with a jump drive key (truecrypt or Keepass style). Have half of the key on a jump drive keyed to cook itself at a button press.
Given the current data-hogging tendencies of today's online world, I think storing it online would be even worse
Given all the things you can hide a USB device in, all you need is a few moments. There's possible destruction of evidence clauses, but only if its marked as evidence.
Has plausible deniability in the context of encrypted drive world ever been tested in courts? ie. if he had used TrueCrypt or OTFE, and typed in one password, could the gov't come back and compel him to type in the *other* password, until they get the result they're looking for?
Just to follow-up to my "absolute certainty" remark: whether this guy is guilty or not guilty is going to be a function of a jury of his peers. I just want to note that if a police officer sees you do something, and testifies to that fact, it carries with it a certain weight. Like, running a red light or flushing drugs down the toilet. Testimony would include what training agents get about child pr0n, etc. I assume, but don't know for certain, that border agents who search computers get training in child porn.
I do also agree these agents of the government could have been mistaken about what they saw, but that's up to the jury to weigh. The same jury will have to weigh this guy's refusal to give out his password. I am sure his lawyers are concerned about how that looks to the jury. And, of course, no one is mentioning that this would all be quickly cleared up if he just gave out the password.
The funny thing is that child pr0n is not the root password. The only reason this is even an issue is the fact that he actually showed them his laptop in the first place.
Actually, truecrypt and hidden partitions suck big time because they are not what they seem to be.
Randy -- ordidijustfeedatroll
The first problem with truecrypt is that so many people already know about this feature - the supposedly deniable volume. I would hate to get caught in court trying to play the dumb role these guys at truecrypt propose - "uh, Judge...I only put the stuff on that volume...I don't know what that other stuff is...I only have one password, so, uh...you can't prove I have another." And who thinks this would work at the freakin' border? The ugly fact is the mere use of encryption puts you at ground zero. And now do you suppose you can prove you weren't using truecrypt? Worse, it doesn't do a thing to thwart rootkits, so you are still locking up your files behind a single expression or password or passphrase that can be discovered without your knowledge and by the time they put the handcuffs on, you will understand why they don't even bother to ask you for the password. And worse yet, it depends on YOU to think about every file - should it go in this volume, or that volume, and can I decrypt it for a minute to access it and still be safe, will there be time to shut it down without a trace, on and on. I left out a dozen other issues with this and most other programs like it.
"I just want to note that if a police officer sees you do something, and testifies to that fact, it carries with it a certain weight."
I'm glad to see you've backed off from your "absolute certainty" silliness, but this isn't much better. When you've been around a bit longer you'll come across many cases where a police officer lies in court in order to secure a conviction. If I am ever on a jury, I will certainly give much less weight to police evidence than to evidence from a genuinely impartial citizen.
I guarantee you law enforcement is receiving new training. They know all about this situation and the mistakes that were made and they won't make them again. From this point on, I would always assume that by the time any authority seizes your laptop or drive they already have what they want. There won't be anymore tug-of-war in the courts after this.
And that sort of attitude is precisely why any job-respecting prosecutor will attempt to make sure you never get on a jury. You're not easily swayed enough.
odup: Sounds like you don't really understand how TrueCrypt works.
You say "I would hate to get caught in court trying to play the dumb role these guys at truecrypt propose." A TrueCrypt volume looks like a drive on the system -- it has files on it, and it has free space. If you look at the actual bytes on the disk, there's no way to tell whether the free space is actually free space, or contains another TrueCrypt volume. If it does contain another volume, the same applies -- you can't tell whether the free space in there is free or another volume. Lather, rinse, repeat. (Now, if you're not careful about how you use your system, you may leave betraying data in your "last used" list, etc., but there's no way to tell *from the volume itself*.) Since many people (like me) use TrueCrypt just to have a simple encrypted volume without any nesting, law enforcement cannot simply assume that you have a hidden volume.
You say "do you suppose you can prove you weren't using truecrypt?" Why on earth would you need to? I use it to encrypt my personal financial data and confidential documents for my job. Perfectly valid reasons for using a tool like TrueCrypt. And given the fact that a zealous prosecutor could probably find *something* illegal by looking any just about anybody's financial data, a perfectly valid reason to assert fifth amendment rights.
You say "it depends on YOU to think about every file..." Not really. I just point "My Documents" at my encrypted volume. So all my data gets encrypted unless I choose to leave it out on my desktop, where it's obvious.
You say "will there be time to shut it down without a trace..." By default, TrueCrypt will unmount encrypted volumes any time you hibernate or suspend. This means that on most systems, all you have to do is hit the power button or close the lid, and presto - nobody can get at your encrypted data.
Side note on this decision: It's really important to note that this particular decision was made on very narrow grounds. This judge here did *not* rule that giving up a password does not violate your fifth amendment rights. The judge here ruled that requiring this particular defendant to provide access to data on his hard drive does not violate his fifth amendment rights because he had already previously given customs agents access to that data.
If customs agents had never had access to the data and the ruling was simply over whether or not he had to give them access (i.e., give up his password), the ruling would probably have been different (i.e., the lower court's ruling would likely have stood).
Of course, not giving customs agents access to data on your laptop likely means that they'll simply take it away, but that's a different issue altogether. :)
"The first problem with truecrypt is that so many people already know about this feature - the supposedly deniable volume. I would hate to get caught in court trying to play the dumb role these guys at truecrypt propose - "uh, Judge...I only put the stuff on that volume...I don't know what that other stuff is...I only have one password, so, uh...you can't prove I have another.""
No offense, but this makes no sense. If someone is employing the hidden volume feature of Truecrypt, they cross the border, a guard asks him/her to enter the password, they simply enter the password for the 'outer' (i.e. non-hidden) volume and decrypt dummy data - perhaps fake financial records or white papers written on technical topics that are considered proprietary for work or patent reasons. The guard would never know the hidden volume exists and should let you pass through. Now, if you use the encrypted volume properly, you can leave the file without a file extension (or give it a fake one, such as .sys, depending on the size) and hide it deep in your file system. The only thing the guard can tell is that you have Truecrypt installed on your system, and that is not illegal. Who cares if it draws suspicion; it's legal.
So I'm not seeing the strength of your argument that 'plausible deniability' is a problem. Your example of being in court does not make sense, because if employed properly, the court would not know about the hidden volume. Not that I advocate lying in court, but we're sticking to the facts of Truecrypt and their plausible deniability feature. My reasoning assumes 1) no rootkits or other methods of stealing the password and 2) no brute-force cracking of the password.
@ Matt from CT,
"3) Does any encryption software offer a feature where if it isn't used within a certain amount of time, the passphrase expires and the volume becomes unrecoverable?"
The short answer is there is no "software" that can do this you need hardware.
The simplist way to do it is with a single chip battery powered microcontroler embeded in a tamper proof (if such things realy exist) case.
But in all honesty I would not trust it as actually making sure the "key" could not be recovered is very very difficult.
A simple way is not to have the key stored in any one place.
There are M of N shared secret protocols, and various ways to prove knowledge without directly transfering it. The protocol mechanics are as they say "left as an excersise for the student".
But put simply if you have three or more "active" sites on the internet in seperate juresdictions that each have a part of the key and they will "forget" after a certain time then yes you can say to the judge "sorry I realy cannot provide you with the key and this is why..."
However you could not prove that you had not hidden the key away so you are taking a gamble on the judge beliving you over the prosecution saying otherwise.
The simple fact is that if you are moderatly clever you will always be able to work out a way to destroy/hide the key.
But if enough people do it then the law will simply be changed such that not revealing the key upon a judges lawful request carries a significant penalty (say a mandatory two year sentance without exception).
Which is effectivly what RIPA has done in the UK.
I've been around plenty and I certainly don't trust the police any more than I have to. You'd never have found me opening my laptop and logging in -- I'd be calling my lawyer, and I know the rules. I mean, I read this blog, and this isn't exactly a new issue. Don't carry illegal stuff -- or important stuff -- on an international trip on your laptop. Use Bruce's thumb drive notion, they will not be looking there. Don't keep child pr0n in your camera on your way back from a Thai underage sex trip.
That said, the circumstances of this case are about as suspicious as it gets, and I don't think I'd use this particular case as something to rally around. I don't see how effectively this is different than someone growing marijuana in their front window. A police officer sees the marijuana and gets a judge to issue a search warrant. You don't get to refuse entry to the officer because it was oregano and you subsequently put up a window shade -- maybe it was marijuana, maybe it wasn't, but this case is not very much different. Yes, it is fourth versus fifth amendment, but practically speaking, we're dealing with an esoteric technicality that we'd all just be fine with if we didn't lug around child pr0n.
And the commenter who talked about animated child porn, I'm sure this guy's lawyers know what it is on his drive. If it was legal, he'd have avoided the staggering costs of this lawsuit and either settled or gone to trial. Innocence is a pretty strong defense. I'm all for doing what is right, and establishing your rights. This was on shaky constitutional ground from the start.
Thanks for the link. I found the details interesting.
Agreed. This bit was curious:
"Boucher was crossing the border from Canada to Vermont when border agents began to suspect he had child pornography in the car. They saw a laptop in the back of the car and opened it up. It was not password-protected, an an agent began to look through it. (By way of background, the Fourth Amendment has an exception at the border that makes this search legal.) The agent came across several files with truly revolting titles that strongly suggested the files themselves were child pornography."
So, aside from whatever made them stop the car and seize the laptop the file "titles" were the big clue, and the fact they couldn't open the files led them to ask the suspect to mount the encrypted space for them.
You can't count on file names to provide anything useful... I keep a file on my system called "Cute chick with nice pussy.jpg". It's there specifically to set off alarms if the pr0n police scan my system at work, and then make them feel sheepish: It's a picture of a baby chicken next to a fluffy kitten. :)
not being able to remember seemed to do OK for Alberto Gonzales
Is this justice theater?
Suppose that's you with your encrypted computer, and there's nothing on the computer but the OS and the preferences you set up, since you bought it earlier that day and haven't had time to do anything with it after setting preferences and password.
In the courtroom, they make you use your secret password to unlock the encryption while the jury watches.
What's next? They are not going to show the jury any pictures, not right away. They will take the machine away, breaking the chain of evidence, and will come back later with incriminating evidence that they claim they got from your machine, which they could easily have copied from their own vast library of kiddie porn. They might not show any pictures, just lists of filenames that would sound incriminating. Thanks to their keylogger, they also have your password. They can put anything they want onto your computer, or they can just fake it and make a theatrical production about the terrible things they say they found.
More diabolically, say they already installed a keylogger during a blackbag job, so they already have your password. After they separate you from your computer, they log in and change the password. Then, in court, in front of the jury, the judge orders you to enter your password. Since you cannot, it will be obvious that you are faking it, desperately hoping your refusal to comply with the judge's order will help you in some way.
If you're worried about that kind of scenario, aren't you equally worried that the government will simply arrest you, shoot you dead, and bury you in concrete? Why bother with all that tinfoil hat crap? Or, if all they want is to jail you, why not copy the plot of "Trading Places?" Plant some PCP in your jacket at the club, parade you in front of the corrupt judge, and call it a day? Mandatory minimums mean serious jail time.
They have a saying in the emergency room: if you show up at 3 am with a stab wound, you probably did something to deserve it. Not always, but usually. This sounds a lot like the guy deserved this predicament.
Roy, I doubt they will give you access to the real harddrive anyway. The first step in any serious forensic analysis is always making a perfect copy of the hard drive in question, and all further work is then performed on the copied data. You don't work on the original HD, it's just too likely that the evidence gets destroyed or altered in any way.
Also, I wanted to post a follow-up as to why this is such an important detail (which I gleaned from one of the excellent Volokh/Kerr discussions):
The reason they need this password is most likely not to convict this joker of possession of child pornography. It's to establish the sentence, which is based on number and type of images. Based on the transcript this guy most likely had some "rape of children" movies.
I urge anyone interested to read the actual opinion:
My advise is pretty simple: if you are travelling internationally, don't have files called "2yo getting raped during diaper change" on your hard drive.
Like I said above, if I wanted to pick someone to rally around, this would not be the guy.
This or that .pgp file is not and cannot be porn. It's just a string of bits. It may or may not be turned into porn if the suspect transforms. IANAL, but since the government can't prove that a .pgp file is porn (because until it's transformed, it isn't), then why should a suspect transform it for them and thereby commit a crime?
During Prohibition, a warning was placed on "wine bricks" that described all the steps you should *not* take to avoid fermenting an alcoholic beverage.
The big issue here is that the laptop was turned off after it was inspected. One thing security guards should be trained to do is to never let a computer be turned off after it has been inspected and found to contain illegal contents. If the guard legally looked at the computer then he legally found slam-dunk incriminating evidence, so he should have left the computer in an unaltered state as possible until a forensics expert could show up.
@killick: "This or that .pgp file is not and cannot be porn. It's just a string of bits."
I suggest you read this essay: http://ansuz.sooke.bc.ca/lawpoli/colour/...
It is about the difference between how computer scientists think about bits, and how the law thinks about them.
The course of action is obvious. Contempt of court carries a much lesser sentence than possession of child pornography.
"This or that .pgp file is not and cannot be porn. It's just a string of bits."
"It is about the difference between how computer scientists think about bits, and how the law thinks about them."
And that is the rub.
Any file can be converted into any other file of the same length by the use of one or more difference files.
And if you realy had a go at it you could take any two quite legitimate files and by applying a succession of one or more difference files produce any desired result.
At what point is there an iligitamate or illegal file and which one is it?
To give you food for thought,
Is a metal pin a gun?
Is a gun without a metal pin still a gun?
What about the trigger?
Depending on which way you go (making/breaking) when can an object be said to be not an object but a part?
Now think of explosives at what point does a collection of atoms become or cease to be an explosive.
Scientists deal with "actuality", the LEO's / LEA's deal with "intent and actions", the courts (tribunal of justice) with ensuring lawfal procedings for the jury (tribunal of truth) to make an unbiased choice on guilt or not. Only the first of these (actuality) is not subject to interpretation in one way or another.
It would apear from what has been said that what was found on Boucher's machine is data about data (meta data) in file names that indicates that more than one file might or might not contain illegal images.
The argument is currently about the intent and actions of Boucher not about the actuality of the file contents as that is (presumably) unknown to everybody but Boucher.
However I suspect that the prosecution have a good idea of what some of the files might contain due to other meta data such as file length.
The chances are "if" Boucher is into illegal images atleast one or two are not "unknown" and the filename meta data and length meta data jibe with those held by one or more LEA's in their databases.
So the case has turned into a game of high stakes poker between Boucher and an LEO their LEA and the courts.
Remember that Kevin Mitnick had a number of encrypted files for which he did not provide the keys, and the judge basicaly let it go (I'm guessing because there was enough other evidence).
I'm not sure how this would play, but taking the idea of a (long) passphrase to heart back in about '94 and playing around with PGP, I made my first passphrase suitably long, and a bit convoluted to boot...
... and a good thing I hadn't encrypted anything critical or unrecoverable from other sources, since I never could remember the passphrase exactly right!
Learned a lesson there, I'll tell you.
MKot- "Was that 'sea', 'see' or 'cee'?" -S
"Animation of child pornography is completely legal in the U.S." - Dwight Whorley's conviction for possession of it was recently upheld. Some possibility for appeal remains, but "completely legal" isn't something anyone can safely depend on.
eric schmidt "what would be really clever is if by typing in a certain reserved password, the laptop would wipe it's drive, then unlock to reveal it had nothing but innocuous content."
I've thought about the same thing: basically a duress passphrase that tells the software "I'm being forced to decrypt the hard drive, trash everything."
I think there has previously been a post on this blog describing an incident where someone accidentally set off his own home alarm system. When the alarm company called, he accidentally gave them the duress passphrase rather than the normal one to authenticate himself. It's definitely an easy mistake to make....
TrueCrypt now includes support for keyfiles. So if you have a password and a USB drive with a keyfile, giving your password will not decrypt the drive. You can destroy the USB drive and your backup USB drive and the encrypted drive is effectively wiped.
There is of course other aspects to this case which have been aluded to in the above comments.
One is quite important,
Ask yourself the question, Is a hand drawn image of a naked teenager art or ponography or both?
Further how do you decide if it is covered by the laws on child pornography or not (remember legislation varies from place to place).
It is a question usually decided on the age of the subject at the time?
So how do you tell if the drawing is of a teenager who is a child or a teenager who is an adult?
In most cases you would form a view based on your experiance.
Then consider if it is a photograph not a drawing?
A photograph rarely contains a reliable way to say at what point in time it was taken.
So how do you decide if the teenager is a day before being an adult or the day after?
In most cases it all boils down to your experiance to form a view or opinion. And as very few of us have experiance of "aging" humans of any form we might as well be pulling balls out of a jar to form our opinion.
And there are two types of opinion in a court that equivalent to "hearsay" and "expert testimony" of which hearsay is usually not alowed as evidence in criminal procedings (although that has changed in UK courts due to "bad charecter").
The difference between hearsay and expert testimony is somewhat difficult to tell even for "experts" and is again based on "opinion" (circular argument here we come).
And it differs from place to place,
And in what sort of cases it is admissable (civil-v-criminal).
However when it comes down to it, expert testimony appears to come down to "opinion held in common" by those in the "field of endevor", with the expert being suiably qualified (either by experiance or accademic status).
This tends to cause problems when the opinion is based on research or findings that are not well established or subject to interpretation of one form or another.
There is a general rule of guidence that the jury should not be "confused" or "bambozeled" and therefor indepth cross questioning of experts is usually discouraged.
In the UK it has been found that a number of so called "experts" have "come up wanting" when it comes to their testimony when it comes to cases involving children. So much so that there are grave doubts about the safety of quite a few convictions.
Further opinion has been made on what realy is hearsay in cases involving so called Internet download of child-pornography in the UK (google "operation ore" and have a look at, http://ore-exposed.obu-investigators.com/... ).
For a process that is supposed to have a measure of "beyond reasonable doubt" opinion, expert or otherwise appears to be somewhat at odds with the process and injustice often the result.
jacky "I've thought about the same thing: basically a duress passphrase that tells the software "I'm being forced to decrypt the hard drive, trash everything.""
Every times you want to recover altered data on a messed up partition, you first backup the data blocks before proceeding, don't you ?
I guess they could do the same with the defendant encrypted partition before asking him to type his pass phrase (encrypted data is some kind of altered data)
A simple workaround is: "the 'password' is indeed a keyfile, a daemon / a scheduled task deleted it 5 minutes after you have booted up the system whithout stopping the task, that's what I do each time I boot. Now the key is gone forever."
BTW, since it is quite risky to do what I suggested if you have not a good memory :) you can fake that solution seting up a daemon to (secure)delete a fake keyfile, no-one apart you know that it's just a bluff.
As it happens, I actually do use TrueCrypt in the "implausible" way you suggest. I have at least one encrypted file container which does not have a secondary container within it. Why? Because for that particular container, I don't feel that I need the additional concealment. If I am coerced to give up the password, then the attacker will see the contents of the container. They will not see any files which aren't in the container (e.g. because I keep them on a different device).
Thing is, I'm indistinguishable from someone who uses TrueCrypt with a secondary container. If an attacker coerces them into giving up their (outer) password, then the attacker will see the contents of the outer container. They will not see any files which aren't in the outer container (e.g. because they're kept in the inner container).
That's why this hypothetical TrueCrypt user has "plausible deniability". They can claim to be using TrueCrypt the same way I am. It is extremely difficult for anyone to prove otherwise, although it's not impossible if the attacker has access to information beyond just a single snapshot of the encrypted container.
@Nabeshin: "deleting a keyfile"
If the cops are serious and competent about the matter, the first thing they will do with the confiscated laptop is to create a 1:1 copy of its hard disc.
There is *no way* to implement a secure self-destruct mechanism purely in software. If you think you designed one, you didn't think hard enough.
It *might* be possible to do this with dedicated hardware (e.g. smartcard, TPM).
"I cannot recall that password"
"What if he just says 'no'"
In the former case the judge holds him in contempt until he "remembers". In the latter, the judge just holds him in contempt. And yes, they can hold him forever if the judge so desires.
Civil contempt in the United States is limited to 18 months. There is no limit except the constitution's "cruel and unusual punishment" clause for criminal contempt, which is what this would be.
This discussion is a lot like the xkcd cartoon on encryption. Next time maybe Bruce can post the court case first, so everyone can read the uncontested facts (i.e. this guy's defense lawyer did not dispute what the border agent saw, but are trying to avoid a longer sentence).
just make your password "i plead the fifth"
then they can't hold you in contempt, you complied!
>- Dwight Whorley's conviction for
>possession of it was recently upheld.
Thanks for that update, which I wasn't aware of. Although a casual glance at the case the crux seems to be he accessed it on a *public* terminal (at the unemployment office). But it does set a precedent animation can be regulated at least in some situations.
"\"I cannot recall that password\"
\"What if he just says 'no'\"
In the former case the judge holds him in contempt until he "remembers". In the latter, the judge just holds him in contempt. And yes, they can hold him forever if the judge so desires."
"Civil contempt in the United States is limited to 18 months. There is no limit except the constitution's \"cruel and unusual punishment\" clause for criminal contempt, which is what this would be."
Ugh. Thanks for that information. I am ignorant of my own laws.
A duress password that wipes the drive would be pointless in a case like this. What you would need is a password that boots into a clean(ish) filesystem. Or an M of N type password setup with collaborators who are out of court jurisdiction. There's no point nuking a drive when forensics 101 is to create a 1 to 1 backup.
makes one wish that one could create a "WIPE" password in PGP. so you can choose a password to nuke the drive contents quickly. just tell them the wrong password and then remember oh wait that was the "other" password...
> makes one wish that one could create a "WIPE" password
DUDE! It doesn't matter how much you wish something like that existed. It still wouldn't work, as we've tried to explain to you several times now. Just read the post before yours. The cops have at least two backups and the real HD, wiping a copy would halp you jack shit.
Did anyone read the Judge's offical response?
He ruled that the password IS PROTECTED by the 5th Amendment. To quote the response: "For the foregoing reasons, the motion to quash the subpoena is GRANTED."
These discussions need a graphic feature to link and diagram the points and threads.
@matt "Animation of child pornography is completely legal" since when? I don't have a clear idea of what they are calling animation. Is it images in motion like a movie file or is it cartoons? Any movie would be an image...cartoons like "virtual" child porn is still an area of dispute. There's case law on both sides. And it can still be prosecuted under obscenity ordinances at the state level under the Miller test.
@Jenkins Even with new training LEO's bungle ordinary searches and seizures all the time. It's one of those 'techincalities' that some rail at.
All I can say is, I would have "forgotten" that passphrase from the very beginning.
Given that my encryption passphrases (on-the-fly full-disk, not normal PGP) are full, long sentences, "forgetting" them would be a very understandable thing.
Simple version of Judge Session's decision:
It's a foregone conclusion that the guy's guilty. Therefore, he can be forced to produce evidence of his guilt.
If he doesn't produce the evidence, then he can be locked up without trial.
That's all there is to it.
BF Skinner: I was quoting a previous poster, hence my use of quotation marks. I strongly dispute the claim that animated child pornography is "completely legal"; the other guy said it was legal, and I pointed out that someone was recently convicted for it so it can't be quite so legal as all that.
Just think if he was employing a hidden OS from Truecrypt. He could have entered the password for the decoy OS and it would have booted up just fine with no incriminating files to be found. He could have even put some decoy porn on the decoy OS so he would at least have the argument that the border guard saw that porn but was mistaken in what he interpreted to be child pornography.
If the guy does have child porn, he should be prosecuted. That aside, the larger issue here is protecting one's right to not being forced into self-incrimination. The decoy OS would have been sweet for his case.
I don't knwo exactly the specific case, but...
We are going towards an always on world, and if the machine is booted when all begins the time needed to merely get from the door to the machine, or say "give me the notebook/netbook/smartphone" and do any little thing may be enough for the daemon.
"Wops, the counter reached 0 in the moment you got the machine, and I consequently had no men to stop it from deleting my key!"
At least, it may be enough for a reasonable doubt for the Court, expecially if it is just a fake to plausibly deny giving the password.
But if the machine is powered off, I agree with you, a good hardware security is the only thing that can wipe the hd.
TrueCrypt's, or anyone elses, deniable system would not have helped the defendant - this is because the enforcement officer had already seen incriminating evidence.
All other steps discussed boil down to the advise "use security". If you are going to leave the laptop switch on then people are going to see what is on the screen. It doesn't matter what security you have, if you don't use it, it won't work.
Having a denyable container does not help in the case that the officer has seen the files - that's a pretty big clue that there must be one. This is also not the scenario that this system is supposed to be secure against.
Officer seen the incriminating stuff.
Later, it is not found - where did it go? Mistake? But wait - the suspect has truecrypt installed. Perhaps...
Though I can imagine including an erase command in the shutdown script ... and keeping my laptop in hibernate.
The case relates to whether you can be forced by law to reveal a password or phrase. It seems that no... but wait - perhaps yes?
Perhaps an analogy...
If your safe had voice recognition - could a warrent force you to say the password? What of other biometrics?
> If the guy does have child porn, he should
> be prosecuted.
Because of what? Because some bunch of charlatans and thieves (aka "Congress") said so?
A lot of people here are making the same mistake.
In law you do not need a body to convict for murder...
If you are going to use an encryption application, deadmans switch, hidden container, hidden OS's or other methods of hiding data then there is one question you are going to have to answer in court and convince the jury,
Tell me Mr Smith if you are not hiding something illegal then why do you have XXXX on your machine?
You had better have a very plausable and belivable story or you have just been found guilty in the juries mind...
Therefor as I have said on other blog pages (HD encryption etc) think about what your threat model is.
If you are a profesional with a duty of client confidentiality under law then you have a small chance of convincing the jury.
However if the prosecution push the judge will give ground to a trial within a trial to decide if your claim has merit. If they decide not then you are back to being held in contempt of court and nobody and I realy mean nobody comes out of contempt of court as anything other than looking suspicious.
Oh and always remember "metadata" there is a lot of it about and that can be the "titanic" moment of your plan.
> The cops have at least two backups and the real HD, wiping a copy would halp you jack shit.
I wonder what is the EULA of the software used to copy the initial HD into those backups, what is the EULA of the operating system needed to run the copy software - including the EULA of the video card and other hardware installed on the computer.
Then I wonder what are those people doing inside a court, after agreeing such End User License Agreement.
"You had better have a very plausable and belivable story" - which neatly reverses the burden of proof.
Surely, there are many innocent reasons why you might have encryption software on your machine. A virus might install it for example. How would you get out of that? You cannot supply the password as you never configured the system - that was done by the virus
It seems that some people here are underestimating the court system.
First, a dead man switch of any sort is destruction of evidence so that will get tacked on to your eventual conviction. (Even if you get off on the original charge, you're now guilty of evidence tampering).
Second, if you do smoke the drive then your defense is one of he said/she said in which case the law officer's statements about what he saw are going to be given much more weight because you can't refute them.
Third, regarding the forensic copying of the drives, this will most likely be done by a block-level copying device, not a computer. There will be no opportunity for the data to get accidently deleted.
Fourth, the question, "Tell me Mr Smith if you are not hiding something illegal then why do you have XXXX on your machine?" would no more be allowed than "Have you stopped beating your wife?" It is misleading and prejudicial.
@Matt. Sorry for my use of your downstream liability. These discussions need graphic links so we can piece the threads out. But I aggree with you point that the area of "virtual" child porn is still an area of unsettled law.
I don't know what you might of been told about the "burden of proof" but the simple fact is in technicaly complex cases neither the judge nor the jury have (or want for that matter) a clue.
Each side brings in their own "expert witnesses" or worse as in one case the judge decides arbitarlily the defendent is an "expert".
The defense are usually not alowed to attack the prosecution expert witness in the same way as the prosecution can attack the defendent. This is because judges tend to see them as being "of the court" thus an attack on the expert is akin to attacking the judge. Further judges do not like the jury (or themselves for that matter) being confused by technical nit picking and cross acusations and theories.
So at the end of the day the whole thing turns into a "talking head" shop where the jury will be swayed not by the soundness or otherwise of evidence but by the charm / personability / credability of the people going through the witness box, and the councils summing up. Usually the judge is incapable of instructing the jury over technical issues which means an asstute and knowledgable council can slip stuff by that would ordinarily be stamped on very hard by the judge.
This is a very very significant problem with the court system and realy we should consider having expert tribunals guided by a judge prior to the actual trial.
Back to your point about a "virus" the evidence for or against this will be in the metadata in the file system and programs as well as the "geology" of the data on the drive. this is especialy true of flash drives and other storage systems with wear leveling or snapshot capability. To a lesser extent journoling file systems can show similar layering and interleaving of data within a storage medium which can be rolled back against time stamp meta data to show discrepancies etc.
The question is are the investigators sufficiently expert to tell.
"Fourth, the question, "Tell me Mr Smith if you are not hiding something illegal then why do you have XXXX on your machine?" would no more be allowed than "Have you stopped beating your wife?" It is misleading and prejudicial."
Yes that specific question would not be alowed but it's almost direct equivalent stated in a slightly different way over a short series of questions is allowed.
I was simply using the terse form for the sake of brevity in making the point that courts are not about technical evidence but human failings, intent and actions.
Firstly clever technical ideas will not be understood by the average member of a jury and airing them infront of a jury is tantermount to calling them stupid and you will therfore not be doing yourself any favours.
Secondly the judge likewise is not going to be interested either, he has an indepth knowledge of the legal process and it's ways and is therfore not going to venture out onto a technical limb over unknown teritory without very good cause. If you insist on draging him out of his comfort zone you realy must be prepared for a fight that in all probability you will lose.
Thirdly as is aparently so in this case people get wrapped up in the details of one aspect of what they are doing and leave very obvious trails via metaevidence. It is pointless telling the judge that the encrypted files are "oh so confidential" when you leave stupid filenames in applivations and the file lengths are such that they match the expected file sizes of "known porn". He is simply going to put you to the test as in this case.
Anyone who says that a jury trial is not about witness credability and style has either not been in a jury or has been exceptionaly lucky.
My experiances in doing jury service is such that I would rather have my few remaining teeth dug out with fishing hooks than go through it for a third time. Thankfully I have found a way to avoid ever doing it again by taking a qualification ;)
"I just want to note that if a police officer sees you do something, and testifies to that fact, it carries with it a certain weight."
You have obviously never sat on a jury in a criminal trial calling officers of the law to give testimony. I *have done this, and I can tell you that one of the first things the judge instructs the jury on is that the officer's testimony carries no more or less weight than a/the civilian's simply because he/she is an officer of the law. What I can also tell you is that one of these cases actually ended with a hung jury, a jury admitting to me (the foreman and one of 7 for guilty) that every single one of them (the non-guilty) believed the defendant was guilty of the crime, but refused to give a guilty verdict simply because they had a distaste for cops, and not even the particular officer who testified, just cops in general.
That is how our justice system works, or fails, like it or not, but your assumption of testimonial weight due to vocation is just as naive as the post you gave the ole' 'tinfoil hat' nod to.
"Anyone who says that a jury trial is not about witness credability [sic] and style has either not been in a jury or has been exceptionaly [sic] lucky."
My point exactly.
Sorry about the typos it is something that (unfortunatly) is a bit of a signiture with me (they give it the old fashioned name of dyslexia but they also say that dyslexia is to broad a term...).
In my above posts I mention "metadata" and "metaevidence" as being a "gotcher" with information hiding that most people get wrong.
Metadata is in many forms but part of it is very low level.
For those of you who use flash (Thumb/pen/etc) drives you realy need to be aware of the meta data and meta evidence.
Due to the nature of Flash memory the drives use something called "write leveling". This means that files do not get over written but a new file is created and the metadata in the drive is changed.
If you think "yah so what my files are encrypted so if does not matter if there are two or more copies of the file" think again...
Due to the "random access" nature of semi-permanant media (ie magnetic) the OS usually assumes this is a given and will allow applications to access your files on a byte by byte basis. At the hardware level this is block by block, but is still not the whole file...
This has significant issues to do with performance and Crypto security. The usual (and wrong) way to resolve this is to use stream encryption.
The result is that with Write leveling and journoling file systems you leave two copies on the drive encrypted under the same key and iv but with different data.
As it is a stream cipher this effectivly means that anybody examing your drive can find files which start the same but then differ part way through.
Simply XORING the two sets of differencees strips out the encryption and leaves you with the old file contents XORED with the changes.
This can often be trivialy split out into the component parts. Thus revealing confidential information for little effort.
Importantly with flash drives this is almost gaurented to happen...
For a more indepth discussion see the following paper that was from last year,
I asure you it will make you thing very very carefully about HD encryption, File system encryption, File container encryption, File encryption, Backup encryption and even application level encryption.
As Bruce once noted crypto code is the "least of your problems", it's how you use it, the systems you build into and the way the user uses them that are the real areas of concern.
And as I have pointed out on numerous occasions,
Efficiency is the foe of security. The more you have of one the less you have of the other.
In the case of data storage the efficiency of "random access" is the killer of security...
I know of ways of dealing with it but most application developers (even those who should know better) forget this and make significant mistakes, and the castel becomes less secure than a house of cards due to rotten foundations....
i wonder IF it looks nowadays suspicious when one finds lots of 'random' looking blocks on a disk - that might indicate to the investigator that you used some kind of encryption (and tried to hide it with e.g. truecrypt)
to my understanding a 'perfect' encryption would generate 'random looking' data w/o detectible structures
better might be to overwrite all unused areas and deleted files with some 'stupid' data (like a JPG with you at the beach etc) and duplicate that file (with some variations that explains the duplicity) till the space is filled up again
BTW always keeping your flash 'full' (= no empty space) would disable wear-leveling (and the security concerns around it)
you delete only as much space as needed for the new file, and that's the exact location where the new data will be written
... unless flash has 'spare' cells that get used to fill in for failed ones to keep the capacity at the rated amount (e.g. spare sectors on a HD)
All in all, still great PR for PGP.
@neill: "BTW always keeping your flash 'full' (= no empty space) would disable wear-leveling (and the security concerns around it)"
Yep, like with a TrueCrypt deniable FS. You make a TrueCrypt volume that fills your flash disk, then you put some files in it that legitimately need security (say, some financial documents). You use a good chunk of the apparent free space for a TrueCrypt hidden volume, and put your sensitive files there.
This defeats leveling and has the advantage of deniability for the hidden volume.
Of course, your OS almost certainly sucks (they all do), and a skilled investigator has a reasonable chance of discovering your hidden volume. What happens then -- even if they can't compel you to provide a passphrase -- is that you'll be asked in court why you lied to the police. This does not look good to juries.
If, though, you have good data discipline, you may successfully prevent them from having enough evidence to obtain a warrant for your passphrase; then the case will undergo summary judgment in your favor.
"BTW always keeping your flash 'full' (= no empty space) would disable wear-leveling (and the security concerns around it)"
Unfortunatly for most flash memory these days this may not be possible.
SmartMedia and earlier NAND flash cards the OS talked directly to the chips.
With MMC / SD / USB Flash cards/drives you talk to a Flash Translation Layer provided by a microprocessor not the Flash chips.
The micro provides the wear/write leveling and bad block translation. By having more flash memory internaly than the user sees externaly to store metadata.
Part of this extra flash is a high reliability (on write cycles) chip to store the Logical Block Translation as well as having extra bytes in the low reliability Flash for "out off band" (OOB) data. This is approx 64 metadata bytes for every 2048 user data byte block.
Because of the way the micro is usually programed you can't normaly get access to this extra metadata Flash.
Further unless you know the flash block size and how the FTL works you cannot,
"delete only as much space as needed for the new file, and that's the exact location where the new data will be written".
Unlike conventionaly addressed memory (RAM, NOR Flash) NAND flash works in blocks of 512 or 2048 bytes for which there are four primative operations (ROWE),
Read pulls out one or more compleat blocks.
Overwrite is not available in some NAND Flash chips but in others it means that you can clear bits but not set them in a block that has already been writen to.
Write is used to change a block from the erased state to a valid data state by clearing bits.
Erase sets every bit in either a block or the device.
Depending on the FTL micro you do not know how the "sectors" the OS sees relates to the NAND Flash blocks.
A knowledgable forensic examiner would take the external case off of the Flash device, hold the FTL micro in reset and probe out the Flash chips directly, gaining direct access to the metadata, and any "slack space" blocks that are held as reserve in the wear/write leveling circular (or tree) structure.
the owner then would hope that enough blocks are 'destroyed' (or remapped) that if CBC mode is used the decryption will fail
other idea would be a flash-stick that IF the right password is NOT supplied within a few min after power-up the mapping-memory is overwritten
of course with disassembly you could still get to the chips, but w/o the mapping it's almost all data-trash (no idea though what the internal block size might be)
"enough blocks are 'destroyed' (or remaped) that if CBC mode is used the decryption will fail"
Close to the correct solution but not quite 8)
The correct solution is to use a "block cipher" "chaining mode" on a per "storage block" basis with an IV computed from data inside the Flash device and outside of the Flash device Likewise with the keys.
However you need to consider if you are using the block cipher chaining mode on the data directly or indirectly and that depends on the type of memory you are using. If indirectly (ie stream encryption) you get good random access ability at the byte level (for NOR Flash / RAM etc). If directly for block level access (NAND Flash HD's). They can be as secure as each other but you need to take a lot lot more care with the indirect (stream) method to avoid re-use.
You realy need to think on the encryption of the data and metadata as a top down system. Where the new metadata gets encrypted at by the previous metadata each level on the way down. Whilst the data is encrypted at one or more levels below the relevent metadata.
Effectivly you chain the metadata up to make new tokens on the way down.
At each level you add data that is either unique, or truely random with a very high degree of entropy (to avoid collisions).
Perhaps surprisingly a lot of unique metadata is actually realy usefull such as file inode, update number, update time etc for such things as journaling, checking file system consistancy and file system snapshots.
You also need atleast three different "above OS" pass tokens. The machine master token, the volume/container token, the user token and an OS level unique token for each file creation and update.
The result is that without the pass tokens not even the metadata can be decoded from the memory device let alone the data. Importantly even the higher level file system structure gets encrypted as well.
Also with a little thought you will realise that each bit of meta data and data need only be encrypted once which makes access times considerably faster. Especially if you take the time to ensure no "key stream" reuse, you can pre compute the keys at the begining of a session etc.
All of this is not exactly difficult to envision, the devil however is as always in the details.
I'm no security expert.
But can't a hidden true-crypt partition be spotted just by adding files unitil all reported 'free space' is filled and then compare the actual size of the volume with the size the space used by the visible files in it?
Or will true-crypt *silently* start overwriting the hidden partition?
@Francesco Orsenigo: "Or will true-crypt *silently* start overwriting the hidden partition?"
Generally, this is what Truecrypt will do.
It simply doesn't know about the existence of a hidden container if you mount the normal container.
You have the option of specifying both the normal and the hidden passphrase to mount the volume with "hidden volume protection". Obviously, you would only do this when you are unobserved.
Use a live linux CD as your OS.
Don't use a computer with a hard drive in it.
Use a USB THUMBDRIVE a a storage device or use it as both sorage and an OS such as PUPPY OR SLAX.
Hear loud knocks on the door?
Microwave ovens are hell on thumbdrives.
Also with a little thought you will realise that each bit of meta data and data need only be encrypted once which makes access times considerably faster. Especially if you take the time to ensure no "key stream" reuse, you can pre compute the keys at the begining of a session etc.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.