How you choose a password and the difficulty of cracking encryption are two separate and unrelated issues. If you use a login password (no matter how “strong”) to control access to your computer or other device, you may be in for an eye-opener. One example:
However, some people (not many) use a true total-hard-disk encryption solution such as PointSec (most often an enterprise solution). However, even PointSec can be cracked.
Make sure the friend actually smashes it into tiny fragments. There are companies that specialise in recovering data from hard drives that have been smashed up / melted / dunked in water.
(Obviously not all data can be recovered from such drives, but a surprising amount can be)
I am not a PC person, so this information might be out of date, but a few years ago, windows password cracking evolved to be a useful database speed test. Windows used(I hope they have improved) a relatively simple static encryption algorithm. As a result a given cleartext password always looked the same when encrypted. It was probably crackable as is, but I doubt anyone tried. The number of combinations of allowed characters is in the low billions. People have created data sets of every possible Windows password. These datasets are used in speed tests of database programs. Last I read, any windows password could be discovered in less than 3 seconds. Which is a fast database for sure. So 14 seconds might be fast, but it isn’t the fastest.
If this information is out of date, hopefully someone will be along to gently correct me. 
Contempt of court can last years. When a court jails someone for refusing to comply with its orders, it is said that the contemnor holds the key to his own jail cell – that is, he may purge himself of the contempt at any time simply by complying.
We learn this lesson from the saga of Elizabeth Morgan. A successful plastic surgeon, Dr. Morgan’s divorce from her husband was spiked by her accusation that he sexually abused their young daughter. When the husband was awarded visitation rights despite this claim, Morgan took her daughter out of the jurisdiction and refused to comply with the court’s order. A judge jailed her until she decided to change her mind… and she did not. She remained jailed two years, until Congress passed a law limiting civil contempt incarcerations in custody cases – a law that was later overturned by the courts.
Yep, it’s at least woefully out of date :). It may have been true of Windows 95 or Windows 3 or something.
It’s true that it is easy to *replace *a Windows password, but that is no use if you’re trying to break in to a Windows-encrypted volume where the key is based on the old password. The encryption used is just as good as anybody else’s.
As for methods for cracking full-disk encryption schemes such as PointSec, they all rely on somehow reading RAM directly, which is pretty difficulty unless you have intimate access to the PC while it is running. The FireWire thing doesn’t work if you use the pre-boot verification option, besides.
“May.”
Or you may not. The article you quote is quite correct that simply relying on a strong Windows password is useless if the device itself is under someone else’s control.
But that’s why the earlier discussion here centered around disk encryption.
This story points out the weakness in storing the PointSec private key and allowing the system to boot up automatically. A pre-boot PointSec authentication step, with a strong password, is not vulnerable to a FireWire or other DMA-type exploit.
This is potnetially a bit out of date. Windows has a couple of possibilities for storing hashed passwords. One of them is NTLM, which suffers from the flaws you mention. There is a newer protocol, NTLMv2, which is not as weak but is still vulnerable to the weakness of lacking a salt to the hash and is therefore vulnerable to the rainbow table you mention. However, it’s not “every possible Windows password.” I’ve seen a 64 GB rainbow table set for every possible Windows password under 16 characters long.
But the way to defeat that is to use a much longer password. I use passphrases that change every month. One recent Windows password on my home network was:
It ain’t the hunting what hurts the horses’ hooves, but the highway!
That’s easy to remember and type, but it’s more than fifty characters long. It can’t be brute forced in years. And it’s only valid for a month before I change it.
Actually, it’s still true of Windows XP, as long as XP is using NTLM hashes, which it does by default for passwords of 8 characters or less. In fact, I think it does for passwords of 16 characters or less, by breaking the password into two eight-character NTLM hashes. XP will automatically hash longer passwords as NTLMv2.
I stand corrected. Not quite so out of date then.
It seems they've exhausted all of their resources (Scotland Yard and maybe FBI included) and still can't break his encryption code.
The UK’s anti-encryption laws are interesting though considering…
Wow! Talk about scare tactics! Those two terms can sure push things along.
Is the case against him so weak that the only evidence against him is in some encrypted files on his own computer? If he is guilty prove it, but don’t expect him to give you the rope the noose.
I have two passwords on my computer
“password” unlocks it and “secret” slags all of the data. Forgetting about forensic data recovery for a minute, if a cop asks me what my password is, would it be illegal to say “secret”?
Under what circumstances are you being asked?
I’m really curious and since Saint Cad hasn’t replied, I’ll bite.
Let’s say you’re under arrest and they’re looking for evidence against you - they think you’re a terrorist.
Off the top of my head, I’d say that might expose you to a tampering with evidence type charge…
Yes, they can force you if it is important enough for them.
(Note: 16 month old thread.)
There have been a pair of Appeals Court rulings in the last few days. In one case, the 10th U.S. Circuit Court of Appeals ruled that a defendant must decrypt her laptop, and in another, the 11th U.S. Circuit Court of Appeals ruled that a suspect did not have to decrypt his laptop. There are some differences between the two cases, so they might not be the complete contradiction they seem to be just from the headlines.
The first case may have some interesting developments soon. She is supposed to decrypt the laptop by the end of the month, but they say she may have forgotten the key. If it’s not decrypted in a few days, the judge may have to determine whether she really did forget the key or if she’s only saying so to avoid complying with the order. How he’s supposed to determine that is beyond me.
In the Vermont case, the suspect had unlocked his laptop and the border agents saw the incriminating photos. Once it was shut down, they could not access it.
In the Colorado case, they have a recorded conversation where she tells someone (her husband, IIRC?) that the files are on the encrypted disk.
In the last case, there is no evidence in the article that the authorities are sure there is anything illegal on there, they just suspect there is.
The analogy is “unlocking a safe” or a safe deposit box. However, in both cases, the analogy breaks down in that the authorities are ale to eventually drill out any locked container without cooperation. The question is, are they requiring you to testify, or to just produce any physical material (I.e. not in your head) they already know exists.
the other question is, they cannot comple you to tell the password, but you must unlock the files (according to one legal analysis I read). How this would work and then they would guarantee that the results are correct, I don’t know.
I think that this will eventually get to the SCOTUS and the question will be, is requiring a password more like a demand for documents or more like requiring self-incriminating testimony.
I remember a discussion here a year or 2 ago where the consensus seemed to be that the police had the absolute right to tag your vehicle with a locator beacon. Unfortunately, our resident pundits got that one wrong as the recent SCOTUS decision demonstrated.
I suspect that with this court, they will be more likely to regard this as a 5th amendment violation and prohibit anyone from being compelled to reveal a password. I think part of the argument in favor of such a result will be the fact that to a greater and greater extent, digital storage is an extension of our memories in a fluid and dynamic way that physical storage is not.
If anyone would like to take the other side of this argument, consider the following hypo. With fMRI’s, we are getting close to being able to read your thoughts and even closer to being able to tell if you’re lying or telling the truth. Would requiring a defendant to submit to such an fMRI be a 5th amenment violation?
I’m not an attorney but cf.
Refering to the Hiibel case of 2004, the above case is not cited, but Berkmer v. McCarty is. That case stated that a traffic stop is NOT custodial for purposes of Miranda.
Another case I have in my head but not the name right now, is that routine booking questions at the station after arrest, name, age, etc., do not trigger the 5th AM, as a comparison to a traffic stop case, but still concerning the 5th.
Since the 4th AM protects people and not places, that point is without legal merit.
Assest forfieture requires Due Process of law, they simply can’t SEIZE property as you suggest without triggering the 4th AM.