Researchers at Princeton have figured out how to crack encrypted files stored on a computer's hard drive, according to the New York Times.

“Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power,” Edward W. Felten, a Princeton computer scientist, wrote in a Web posting. “Just put the chips back into a machine and you can read out their contents.”

This technique -- which enabled the researchers to retrieve encryption keys from DRAM chips -- can't be carried out remotely via the Internet or a WiFi connection, only if your computer is stolen or seized.

One way to look at this is to lament that one can't be sure anything one stores on their computer is safe. But that's pessimistic -- a bit like lamenting it's too bad someone can't build a ship which can't sink or a vehicle which can't be stolen. Just as it is true that any secret code can be broken, it's equally true there's no limit on the complexity or redundancy one can add to secret codes to make them harder to compromise. Microsoft and Apple suggest how to protect one's personal files in case their computer is stolen or seized:

Austin Wilson, director of Windows product management security at Microsoft, said the company recommended that BitLocker be used in some cases with additional hardware security. That might include either a special U.S.B. hardware key, or a secure identification card that generates an additional key string.

The Princeton researchers acknowledged that in these advanced modes, BitLocker encrypted data could not be accessed using the vulnerability they discovered.

An Apple spokeswoman said that the security of the FileVault system could also be enhanced by using a secure card to add to the strength of the key.

Posted by Hance Haney at 3:52 PM | Permalink | Comments (0) | TrackBacks (0)

With all due respect for the views of my colleagues (here and here) and commenters at Technology Liberation Front, former Sen. Bob Kerrey had this, and other, mature insights in an op-ed which appeared yesterday in The Hill regarding whether to include immunity for telecom carriers in the Foreign Intelligence Surveillance Act (FISA) reauthorization:

Consider the atmosphere: the president had gone before Congress and said “one vial, one canister, one crate, slipped into this country, could bring a day of horror like none we have ever known.” So if these companies refused to cooperate, by implication, that dark day could be on their conscience. And now they cannot even defend themselves in court, because the details of the investigations remain classified.

Opposition to immunity isn’t aimed so much at punishing the telecom providers, but at obtaining information about what really happened and about reaffirming the significant legal duties that telecom providers have for safeguarding the privacy of their law-abiding customers.

Presumably any judge would have some sympathy for the telecom providers, considering the extraordinary circumstances; still, investors have an irrational fear of legal bills and uncertainty.

As for whether the warrantless surveillance was really unconstitutional or not isn’t absolutely clear. The Supreme Court hasn’t said, and some believe the Court might defer to the president who was acting as commander-in-chief to protect the nation’s security. The Fourth Amendment concerns "unreasonable" searches and seizures, and electronic surveillance is routinely conducted on all sides during wartime.

Under FISA, the Foreign Intelligence Surveillance Court can authorize electronic surveillance when there’s probable cause to believe that the target of surveillance is an agent of a foreign power or a terrorist. The argument is that the Bush administration should have invoked this procedure, which would have protected the telecom providers from liability.

But Richard A. Posner observed in February, 2006 that FISA was “dangerously obsolete” because while it allowed electronic surveillance against known terrorists, it couldn’t authorize surveillance for the purpose of identifying potential terrorists and their supporters.

[FISA] retains value as a framework for monitoring the communications of known terrorists, but it is hopeless as a framework for detecting terrorists. It requires that surveillance be conducted pursuant to warrants based on probable cause to believe that the target of surveillance is a terrorist, when the desperate need is to find out who is a terrorist.

Writing in 2005, William Kristol and Gary Schmitt posited the following hypothetical:

A U.S. president has just received word that American counterterrorist operatives have captured a senior al Qaeda operative in Pakistan. Among his possessions are a couple of cell phones -- phones that contain several American phone numbers. In the wake of Sept. 11, 2001, what's a president to do?

Kristol and Schmitt rightly asked where is the evidence, in this hypothetical, to support a finding of probable cause to believe the targets of electronic surveillance, in the U.S., are terrorists?

Who knows why the person seized in Pakistan was calling these people? Even terrorists make innocent calls and have relationships with folks who are not themselves terrorists.

I have no idea if this was the actual justification or not, but it sounds plausible and legitimate to me.

Kerrey makes the logical point that the fight against terrorism will require access by the government to all kinds of personal data:

It is now clearer than ever that to connect the dots in future terror investigations, the government simply cannot do it alone — it must have the full, unwavering support of private industry. The global proliferation and increasing sophistication of terrorist operations means that every private enterprise — from the telecom and tech companies to the car renters and airlines, data-mining and credit card firms, chemical manufacturers and fertilizer retailers — virtually every private concern in the U.S. economy must be willing to help out when a terrorism investigator comes to call.

The possibilities for abuse, given the occasional corrupt politician, careless bureaucrat or scheming corporation, stagger the imagination. Corporations like to curry favor from politicians; bureaucrats are assigned laptops, for some reason; politicians like to leak damaging details about their opponents’ private lives; the list goes on. But the question ought to be whether it’s possible to prevent abuse in most cases while allowing the government every tool to detect and prevent terrorist attacks.

Posner suggested a combination of criminal penalties and evidentiary prohibitions which sound like a promising starting point:

Forbid any use of intercepted information for any purpose other than "national security" as defined in the statute ... Thus the information could not be used as evidence or leads in a prosecution for ordinary crime. There would be heavy criminal penalties for violating this provision, to allay concern that “wild talk” picked up by electronic surveillance would lead to criminal investigations unrelated to national security.

The suggestion is evocative, at least for me, of the Miranda ruling, which addressed the problem of unscrupulous police investigators who conducted coercive interrogations to obtain confessions from innocent suspects. The Supreme Court solved the problem by making improperly-obtained evidence inadmissible and not by prohibiting interrogations or confessions – which the Court recognized were indispensible techniques for fighting crime. I don’t know many who would argue that the Miranda Warning hasn’t worked pretty well.

Posted by Hance Haney at 4:31 PM | Permalink | Comments (0) | TrackBacks (0)

I surmised here that it would be costly for ISPs to retain customer data pursuant to a new proposal in the House of Representatives, and subsequently came upon a news report from a couple years ago in which industry sources predicted the cost of a similar proposal under consideration in the European Union would be quite large:

For AOL, retaining communications data for one year would add an enormous cost, said de Stempel. "There are huge amounts of data involved. AOL has 329m user sessions a day, and its customers send 597m emails, and we're just one ISP." De Stempel said that to save all communications data on its UK customers for just one day would require 100 CDs. "If you multiply that (for a year) it will have an enormous impact on our business."

Further costs would be incurred because an ISP could not simply hand a whole year's worth of CDs (36,000 in the case of AOL) over to police or other law enforcement agency when a request was made because, they say, this would be an offence under Regulation of Investigatory Powers Act (RIPA). RIPA says that any requests for communications data has to be proportional. "We'd have to search for a particular piece of data," said de Stempel.

Clive Feather, an Internet expert at ISP Thus who also gave evidence, said AOL's figure of 36,000 CDs was if anything an underestimate of the scale of the problem. "This is raw data. If ISPs are retaining data so it can be searched later then it has to be organised and indexed," said Feather. "And this would all have to be paid for."

Feather said he had no idea where the government's estimate of £20m for the whole industry came from. "The cost would be £5m to £6m for us alone," he added.

The full article can be found here.

The transcript of the testimony is here.

Posted by Hance Haney at 4:05 PM | Permalink | TrackBacks (0)

The Senate Commerce Committee approved a modified version of S. 687, a bill sponsored by Senator Conrad Burns (R-MT) and Senator Barbara Boxer (D-CA) which would target a variety of malicious practices that include: computer hijacking, spam zombies, endless loop pop-up advertisements and fraudulent software installation. A similar measure (H.R. 29) introduced by Rep. Mary Bono (R-CA) and Rep. Ed Towns (D-NY) has passed the House. The House has also approved H.R. 744, by Rep. Bob Goodlatte (R-VA) and Rep. Zoe Lofgren (D-CA), which addresses criminal penalties and prosecutorial tools related to spyware.

Spyware legislation is beneficial because it will promote consumer awareness and assist law enforcement. But technological solutions to the problem may ultimately prove more important. The industry is working on a number of solutions and requires flexibility to respond to evolving challenges. Lawmakers in both the Senate and House appear to be fully conscious of the danger of unintended consequences from legislating in this area. If the legislation's aims and means are too expansive or are not described with optimal clarity, for example, not only could it kill promising technological solutions but it could also ensnare legitimate applications and services that will make the use of computers more simple and secure for ordinary Americans.

Posted by Hance Haney at 9:35 AM | Permalink | TrackBacks (0)

It is already against the law in the U.S. to interfere with someone else's computer or commit traditional crimes with the aid of a computer, however many countires have gaps in their criminal laws governing computer-related crimes and have become havens for cyber-criminals. Another problem is that electronic evidence of crime is difficult for law enforcers to locate and secure when it crosses borders. A treaty is awaiting final Senate approval that would fully criminalize computer-related offenses in other countries and require each country to have the power to quickly preserve and disclose stored computer data, compel the production of electronic evidence by ISPs, to search and seize computers and data, and to collect traffic data and content in real time. These evidence-gathering and surveillance powers are already provided for under U.S. law.

The Convention on Cybercrime has been criticized on the ground that it could allow a foreign country to collect evidence or eavesdrop in the U.S. -- on who knows what? -- via "mutual assistance." But the evidence-gathering and surveillance powers are subject to conditions and safeguards under domestic law that protect civil liberties, such as the First Amendment.

The Senate should ratify the treaty, which will promote an international minimum baseline in computer-related criminal offenses and law enforcement tools.

Posted by Hance Haney at 7:06 AM | Permalink | TrackBacks (0)