nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Brit broke anti-terror law by refusing to cough up passwords to cops

Anonymous Coward

The authorities apparently still retain his laptop and phone.

25
0
Silver badge

As an interesting aside ..

Arrive at Heathrow in 2015

Border Agency Goon: 'Excuse me Sir, could you step this way please? It's nothing you have done Sir, you have simply been selected for a random search. Can you please switch on your laptop? Oh, I see you have a security password on your laptop. Would you mind entering it please?'

Me: "Yes, I would'

Border Agency Goon; rants on about breach of law, up to 5 years in jail plus £10,000 fine. Brings in 2 mates who pick up laptop and shake it, as if that will sort out the password.

Me: 'I would love to give you the password but this laptop belongs to Cabinet Office'. Can I call the office please and I am sure they will help you?'

Border Agency zero-hours knuckle-draggers go into a huddle and decide that this is above their pay-grade.

Motto: If you want to deal with people like that, smile, agree, be helpful and slide the knife in gently.

43
1
Silver badge

Re: As an interesting aside ..

Me: 'I would love to give you the password but this laptop belongs to Cabinet Office'. Can I call the office please and I am sure they will help you?'

And you had written permission to take a laptop with HMG encryption out of the country?

3
13
Silver badge

Re: As an interesting aside ..

Sorry missed the bit where he didn't say it was encrypted.

And no, you don't need written permission either.

Apart from those points, your comments stand.

15
0
Anonymous Coward

Re: As an interesting aside ..

Well,I have - frequently.

0
0
Silver badge

Re: As an interesting aside ..

Yes, because .. well... it was encrypted. That would be like asking every FCO staffer if they have permission to have a laptop in a foreign country.

1
0
Anonymous Coward

"won the moral argument."

Nobody wins a moral argument because morals are determined by whoever has power.

19
16
Silver badge

Morals are determined by whoever has power? They’re pretty much the only thing that ”aren’t“ determined by power.

15
0
Anonymous Coward

you're right about the big picture. No comfort for a chap facing a noose because, at precisely this century he was born in, the big picture gave way to "present circumstances"

1
0
Anonymous Coward

There are two types of morals. Those imposed by a social authority and those you choose for yourself.

The former can have several sources which apply in different circumstances. They may overlap and conflict with each other eg government; religion; social societies' mores.

Being seen to go against those powers will lead to external punishment of one sort or another. For conformity you may embrace those morals without apparent question - or even be a fervent supporter. Your only choice is which apparent power you fear most.

Potentially going against your own personal thought-through morals leads to an ethical dilemma that goes to the core of your being. You have to re-evaluate your stance and decide if there is a previously unsuspected nuance that must be accommodated.

8
0
Silver badge

@ Lord Elpuss

"Morals are determined by whoever has power? They’re pretty much the only thing that ”aren’t“ determined by power."

I must disagree. Morals dont actually exist, not in any absolutist form. That is why the greatest deeds and most evil actions can occur with no moral problem. Morality is subjective which is why it is perfectly ok to trod on peoples freedom to maintain freedom and to kill so as not to be killed.

6
5
Silver badge

Re: @ Lord Elpuss

@codejunky

Morals do exist, and the simplest morals are unequivocal; no subjectivity necessary. Kant defined the moral imperative as those societal rules which enable society to prosper if adopted by everybody; e.g. respect for human life. If nobody respected human life we would perish as a race; hence respect for human life is a moral imperative regardless of where you are or what status you have.

And your last statement - no it’s not ok. The fact that it happens, doesn’t make it ok.

3
2
Silver badge

Re: @ Lord Elpuss

I disagree. EVERYTHING is relative; there are no absolutes. And the situation can change the moral compass. Consider "cold equation" situations where there MUST be a choice of who lives and who dies (think like 12 people stranded in the desert but only 2 bottles of water): abdication is not an option, either, as the default is everyone dies. It's not a case of everyone respects human life; it's more a case where the respect for human life is selective. And now you're put in an intractable moral quandry.

4
2
Silver badge

Re: @ Lord Elpuss

@Charles 9

A moral code doesn’t preclude the existence of no-win scenarios. It does, however, determine how you feel about those scenarios. In your scenario, a moral man may have to make a choice about who lives or dies, and that choice may superficially be the same as the choice made by an immoral man, but the morality will determine the ”feeling“ (Attitudes, values and beliefs, cf Maslow) experienced by the decider. The moral man, believing in the sanctity of human life, will consider any and all alternatives before deciding (and will agonise endlessly afterward); whereas the immoral man will experience far less difficulty and may well ultimately decide on a purely arbitrary or brutally pragmatic basis; and likely suffer far less in the aftermath. Ironically, the hesitation that morality introduces here may well end up being riskier to the group than the ‘immoral but fast’ approach; but that’s a topic for another thesis ;)

3
1
Silver badge

Re: @ Lord Elpuss

@ Lord Elpuss

"Morals do exist, and the simplest morals are unequivocal"

I will need such an example. I have never heard yet of one but I am interested if there is one.

"Kant defined the moral imperative as those societal rules which enable society to prosper if adopted by everybody"

What unequivocal moral rules exist in this category? Everyone seems to have their own morals and thats after cultural, regional, country or religion. Some people believe religion give you your morals! Different cultures even if they dont believe in a religion still believe in certain modesty rules including when a woman is ok to speak/interfere! Many perfect societies have been dreamed up if everyone could be forced to be the same but that is of 1 persons morality when everyone has their own.

"respect for human life. If nobody respected human life we would perish as a race"

Are you sure? When human life is cheap and abundant? How much human life has been killed off and even with a moral standing not including war? You think the communists didnt think they were moral as people starved? People trying to save others souls because it is morally right regardless of the religion? Or the morality of protecting your own by removing the lives of those who have no regard for others?

"And your last statement - no it’s not ok. The fact that it happens, doesn’t make it ok."

To somebody. But to others it is moral. Every time someone knocks on my door to save my soul and bring me to christ or on the street to bring me to allah or anywhere even online to tell me my political leaning is immoral to them because I do not agree with their position which may be demonstrated to kill people. Oddly all kinds of things can be morally justified even if it will be bad.

To save the many we need to take away X freedom. Oh no they adapted we must remove Y freedom. Its for our own good of course. There is a reason this is known as the thin end of the wedge. Or the road to hell is paved with good intentions. And some of the scariest ideas have been morally brought about. Some of the worst atrocities. And because it feels moral or can be justified morally people get sucked into it, good people get sucked into it. And they may feel they are right all along, or they may pass a point and realise it is too far. But it was moral and some will still believe it is even if it involves killing people.

1
1
Silver badge

Re: @ Lord Elpuss

@ codejunky

Happy to talk more on this tomorrow (it’s late now) but in the meantime i suggest a read up on Kant’s Categorical Imperative - four examples of universal morality. From memory these are Suicide, Lying, stealing and one other - I forget. Google for ‘Four examples Categorixal Imperative’.

Cheers LE

0
0
Silver badge

Re: @ Lord Elpuss

@ Lord Elpuss

That is an interesting idea I may read more of Kant later if I get the chance. However assuming I am reading it correctly he proposed a different moral system which comes back to his version or view of morality which is not necessarily compatible with anothers morality.

Btw I am not in any way agreeing with the govs actions, I just dont believe in the words moral or fair as they can be used to argue almost anything.

1
0
Silver badge

Re: @ Lord Elpuss

Fair enough, it’s not my place to convince you one way or the other ;) Kant’s definitely worth a read, I tend to agree with the general gist of universal morality but can certainly see why others may not. He can get very esoteric and some of the examples are a little... weird.

Anyway - have a read and see what you think.

Cheers LE

1
0
Silver badge
Big Brother

Defeating Draconian laws

There's due process, which is the route CAGE is taking, but I'm not hopeful. A rational and humanitarian regime would not have introduced such Draconian legislation to begin with. Reversing it will require nothing short of replacing the very foundations of our extremist political system. Good luck with that.

Meanwhile, Rabbani and others can save themselves a lot of hassle by using more clandestine methods to protect their privacy.

It turns out that the old cliché about "security through obscurity" is sadly wrong, given the "rubber hose decryption" era we now live in. Certainly if obscurity is the only layer of "security" then it patently isn't secure, but it is now an essential layer nonetheless.

Encryption is no longer sufficient. Now you also need to hide the encryption. In this scenario I'd recommend whole disk encryption with a hidden volume, with the outer volume containing a "dummy" OS suitably seeded with innocuous data, and the "real" (hidden) inner volume containing the real OS and data.

The upshot is that when Plod (or more likely these days some private contractor with a badge and a gun) demands your password, you happily give it to him, and he decrypts and views a whole bag of nothing (substantial), but it's a sufficiently believable bag of nothing that he doesn't even go looking for the real contents, has no way to prove that a hidden container even exists, and would have no way of decrypting it even if he suspects he might be looking at one.

No it doesn't address the underlying political issue, but in these dark times it's probably the best you can hope for.

49
7

Re: Defeating Draconian laws

Truecrypt or similar?

7
0
Silver badge

Re: Defeating Draconian laws

I wouldn't count on it.

Before coming to the UK, I do a secure erase of my laptop SSD before restoring an Acronis image, and that's for a good reason: So authorities can see that there's really nothing there - just a predictable, repeating sequence (ABCDE...) of characters in each disk sector. On no account will I ever fill a disk with random data before visiting the US or UK.

The danger of using so-called "rubber hose" file systems is that the authorities will expect you to be hiding something roughly equivalent to the amount of "random" data, and even if you aren't, it is impossible to disprove it. After all, "normal" people don't fill their hard disks with random data, do they? Is it worth risking a life spent in prison?

Real terrorists use IPoAC (homing pigeons carrying USB sticks), as they are capable of carrying a practical amount of data (albeit with ~55% packet loss), are not intercepted at borders, and aren't logged - although Nelson's Column may potentially betray some trace data.

24
0

Re: Defeating Draconian laws

Security 101, do not keep the password with the encrypted data .

Arrange for the password to be held by a third party in another country.

After you arrive safely, unencrypt. When you are stopped at the border, you explain you do not have password so you can not comply. Let them phone the person who does have the key. Ideally this should be a lawer or a respectable association, or at least someone less likely to have dawn raid.

Better still, carry the key in person, and send the data over the internet later. A well implimented One Time Pad is unbreakable because there is no pattern to find.

8
0
Silver badge

Re: Defeating Draconian laws

Except, one, consider tight data caps, and two, what if the cops confiscate your pad...BEFORE you can use it?

1
3
Silver badge

Re: Defeating Draconian laws

It's been proven that hidden volumes are detectable and "fairly" easy to find to those that know what they are looking for. Maybe not for your average grunt, but serious agencies can find them.

5
1
Anonymous Coward

Re: Defeating Draconian laws

Yup exactly what I do. I have a second Apple account populated with minimal (but plausible) data, and always restore to this before travelling to the 3rd world (US, UK etc). Then I just restore my real account when I’m at my destination.

Consider it a game and it can be quite fun.

8
0
Silver badge

Re: Defeating Draconian laws

I have a second Apple account

Are you saying that Apple are not subject to the Patriot act ?

2
0
Silver badge

Re: Defeating Draconian laws

Arrange for the password to be held by a third party ...

But how do you prove that you do not have/know the password yourself ? That's the problem, the only defence is that you don't have it, and that's something that is not provable - the prosecution don't have to prove that you do have it.

So yes, the absurdity of the law goes as far as you being found guilty because you can't prove that you don't know something which you don't know.

Hence, when this absurdity of a law came out, there were suggestions about emailing (or otherwise getting it onto their computer) an encrypted file to someone (any politician who voted for it would be a good start) and then tipping off the police that they had something to hide.

15
0
Anonymous Coward

Re: Defeating Draconian laws

It's been proven that hidden volumes are detectable and "fairly" easy to find to those that know what they are looking for. Maybe not for your average grunt, but serious agencies can find them.

Link, reference, article? AFAIK, things like Veracrypt (Truecrypt v2) had quite a bit of review from people who know what they're doing. I don't need it, but out of professional interest I would still like to know if this is fact or a deliberately spread rumour to make criminal doubt it's useful.

5
0
Silver badge

Re: Defeating Draconian laws

This is an older one, but there are others:

https://hal.inria.fr/hal-01056376/document

also this has some brief summary:

http://www.forensicswiki.org/wiki/TrueCrypt#Hidden_volumes

The general idea is pattern matching and looking for anomalies in the storage. One way of reducing this apparently is to make sure you use the hidden partition as much as the normal partition as it creates more noise.

Unfortunately the guy who I worked with who could it explain it much better left for a much better paid job!

1
1
Silver badge

Re: Defeating Draconian laws

"After all, "normal" people don't fill their hard disks with random data, do they?"

Speak for yourself. So what if I choose to not delete but _wipe_ stuff I no longer need, and that includes periodic "wipe free space" passes? So what if I happen to believe multiple passes of random data are preferable to a uniform same-byte overwrite because it may make reading residual traces of overwritten data harder to read (regardless of whether that's actually true or not)? Is that illegal? Can you say for sure that's not ALL I'm doing there?

0
0
Anonymous Coward

Re: Defeating Draconian laws

A well implimented One Time Pad is unbreakable because there is no pattern to find

A genuine One Time Pad is indistinguishable from encrypted data. They'll expect you to provide the "key" on demand. And if you don't, you'll be in the clink.

2
0

Re: Defeating Draconian laws

I'm dying to hear how they could "fairly" easily find out a random chunk of data on your harddrive is in fact an encrypted volume. Got a source?

1
0

Re: Defeating Draconian laws

You link to a wikipedia page as evidence? :|

0
0
Silver badge

Re: Defeating Draconian laws

"

It's been proven that hidden volumes are detectable and "fairly" easy to find to those that know what they are looking for.

"

Not true. You can show that a hidden volume is possible, and might even show that it is likely to exist, but there is no way to prove BRD that it *does* exist.

But that's beside the point - in the scenario where a goon at a border post demands your password, and you give him a password that unlocks the computer showing a perfectly ordinary & popular OS containing innocuous data, the goon is unlikely to start doing a raw sector analysis of the HDD in order to see whether a hidden volume might exist.

3
0
Silver badge
Headmaster

Re: "hidden volumes are detectable"

The two provided articles are non sequitur.

The first concerns forensic evidence of hidden containers within a running OS, such as VSS records, and has no bearing on booting into a secondary hidden volume, which the OS on the first outer volume knows nothing about (and thus contains zero forensic evidence).

The second is merely an assumption that, whilst booted into a hidden volume, the user might choose to write plaintext data somewhere outside of that volume, leaving a forensic trail that somehow proves the existence of the hidden volume. This is highly speculative, not particularly common (I've personally never heard of anyone doing that), and such an obvious blunder that it's very unlikely that anyone who would go to the effort of setting up an encrypted hidden OS would do it.

Nothing is ever perfectly secure, but I've seen nothing in those articles that would lead me to question the security of properly executed hidden volumes.

4
0
Silver badge

Re: Defeating Draconian laws

This is an older one, but there are others:

https://hal.inria.fr/hal-01056376/document

also this has some brief summary:

http://www.forensicswiki.org/wiki/TrueCrypt#Hidden_volumes

The first is interesting, but assumes that the decoy OS contains "restore points" that has copied parts of the encrypted data of the hidden volume. This is in fact pretty unlikely seeing that the decoy OS will quite possibly not have any restore points, and if it has there is no reason to believe that any restore point would copy data from a part of the HDD that the decoy OS sees as free space. It in any case assumes that the OS is Windows Vista or later, and the best choice for a dummy OS would definitely be Windows XP.

The second is complete nonsense, as it depends on the hidden OS writing data to the decoy OS while it is running, when in fact the hidden OS has no access to the decoy OS so applications running on the hidden OS could never write "e.g. filenames" to the decoy OS.

The thing I was thinking of is that a dummy OS would (a) have a FAT32 file system and (b) not have any recognisable file fragments beyond the limit of a fairly low sector of the HDD. While a HDD that has both these attributes would raise suspicions, they are far from being proof that a hidden OS exists. At best they show that a hidden OS *could* exist

1
0

Re: Defeating Draconian laws

It is easy to show to an acceptable level you do not have the password, by having the person who has the password, saying what they did, and why, by phone and email. Preferrably, with a newspaper on copy. You can pre-plan they wipe the key if you do not arrive problem free.

Note, if the data is on a micro SD, you are less likely have an issue, as they are just so small.

If you are CAGE and planning to take US solders to court for war crimes, or are the partner of a journalist talking to Snowden, you will already be on the list for a home visit.

If you were not before, having good security practices at the airport is likely to put you on the home visit list and possibly on the no fly list. Piss off the man at your own risk.

0
0

This post has been deleted by its author

Silver badge

Re: Defeating Draconian laws

"It's been proven that hidden volumes are detectable..."

There are indeed bugs and operational errors that can reveal them. In the absence of these, it's very hard to prove the existence of such a volume unless you have an opportunity to repeatedly image the disk.

0
0
Silver badge

Re: Defeating Draconian laws

"Truecrypt or similar?"

Several of these packages put the hidden volume at the end of the disk, reading inwards, so a knowledgeable operator can detect the presence. Likewise when the filesystem reports a size substantially smaller than the physical drive's capacity.

The better solution for carrying sensitive information through hostile territory on a laptop or phone is "don't", when you can simply transmit it later.

Alternatively if you're not facing a strip search, 256GB of data fits on a microSD card and a few of those could be stuffed virtually anywhere (including Papillion's charger)

1
0
Silver badge

Re: Defeating Draconian laws

"Speak for yourself. So what if I choose to not delete but _wipe_ stuff I no longer need, and that includes periodic "wipe free space" passes? "

That's not normal: Key to understanding what is normal is looking at what the average computer user does in terms of security - which is not much, to say the least. If what immigration security finds on your system is different to the vast majority of other systems they examine, that automatically makes you suspect - regardless of your reasons.

Do not confuse the average Reg readership with the general public.

1
0
Silver badge

Re: Defeating Draconian laws

Before coming to the UK, I do a secure erase of my laptop SSD

Seem to recall reading an article that said not to do that as it'll shorten the life of the SSD due to all the wear levelling and such that happens. Better to have an encrypted disk whereby a quick format will do the same by removing the encryption key - depending on your choice of OS.

0
0
Silver badge

Re: Defecating on Draconian laws

Surveillance State, I fart in your general direction...

0
0
Silver badge

Obligatory xkcd

20
2
Thumb Up

He should have just emailed it to himself encypted of course

really with the internet there are so many ways to move data, then just carry a clean travel phone. and for the laptop, send all the data over the internet, do a secure delete of data on laptop and restore to a factory reset before coming back to the country.

8
3
Silver badge

Re: He should have just emailed it to himself encypted of course

What about tight data caps?

1
8

Re: He should have just emailed it to himself encypted of course

Data caps in the western world are not an issue. Most of us have ASDL or fibre. Plus a monthly unlimited 4G phone with data contract phone is about 30 pounds in the UK and 16 euros in France. There are also data sims for one off needs. For the less well served there is Starbucks and MacDo. You are likely to find such a hotspot in the Airport at each end of your trip.

If you are going to a place without internet "all that you can eat", they are probably not going to give a hard time at the airport to open you PC, except perhaps North Korean.

1
3
Anonymous Coward

Re: He should have just emailed it to himself encypted of course

Data caps in the western world are not an issue.

They may not be an issue for you personally. They are an issue for a lot of others - with many countries and operators, both fixed and mobile, your "unlimited" data plans get throttled once you reach a certain data volume [e.g. my cable data gets throttled past 2TB/month; my wireless data gets throttled past 50 Mb/month (I am too cheap to pay more than EUR 5 for a data plan)]. Furthermore, in many western countries, "unlimited" wireless plans cost a a lot more than 30 quid a month, if they are available at all - take a look at the wireless data pricing in the US or (shudder) Canada.

In most of the world (western or otherwise - I travel a fair bit, and I do not see much of a difference between western countries and places like China, Thailand, or Russia in terms of the wireless internet infrastructure), it is usually not a problem transferring a few gigabytes from your base. If that's all you need - fantastic, and congratulations. If you need more data, carrying it with you is frequenty the only practical alternative.

1
0
Silver badge

Re: Cloning my HDD to the Cloud in Starbucks

That'd have to be one helluva big cup o' coffee, at least round these parts, as it'd probably take about a week for a full backup.*

* Based on a typical 1TB laptop HDD, and the average UK internet speed of 16.5 Mb/s.

0
0
Anonymous Coward

So what would have been the case

If he'd dumped all his content, encrypted, in the cloud and committed the URL to memory?

6
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing