Baffling the FBI
Anyone who watches the American cop shows knows the FBI has wizards who can hack any computer and crack the toughest encryption in seconds. And if its on TV then it must be true. Or is it?
Two years ago in Brazil, police raided the apartment of banker Daniel Dantas who was suspected of financial crimes, and seized five hard drives from his computers. The drives were encrypted using TrueCrypt, a free encryption package that anyone can download. Police set about trying to decrypt the drives using a "dictionary attack" to find the password. After five months they admitted defeat and asked for a favour from the FBI. The FBI put its best minds on the job but after more than a year of trying, they too decided the encryption was uncrackable.
This case illustrates where real security is found. TrueCrypt is Open Source software. Anyone can look at the code and see which algorithms it uses, but without the right password it is impossible to decipher the files, even with all the resources of the FBI. The key here was that Dantas did not use an easy to guess password, or even a hard to guess password. He didn't use his birthday or girlfriend's telephone number. He didn't use his name spelt backwards and think no-one would ever guess it. He didn't use the same password as he uses for his email, his Facebook account and his logon to his favourite online forum. He probably used an impossible to guess random mixture of numbers and letters and, most importantly, he committed it to memory and didn't make the mistake of writing it down somewhere in case he forgot. It is people, not software, that are the weak link in security.
It should be pointed out that under UK law you would be compelled to disclose passwords of encrypted files to the police and failure to do so is a criminal offence. Claiming you have forgotten the password is not an allowable defence. Unusually for the UK, where encryption is concerned you are presumed guilty unless you can prove yourself innocent.
23rd July 2010
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.