RE: Judge orders defendant to decrypt PGP-protected laptop - CNET News

["Craig S. Wright" <craig.wright () Information-Defense com>]

Kurt,
You have a problem with the argument, "My right to my data, including who I share it with, is absolute." You will find 
that this does not hold true anywhere in the world. Absolutes are unworkable in  the real world. Even free speech fails 
as an absolute. For example, people have no right to make up stories about somebody else. Absolute free speech would 
include defamation, this is not the case.

Let us take a recent issue with data secrecy, banking. Last week, the Swiss government was forced to bow to pressure 
from the Organisation for Economic Co-operation and Development (OECD) representatives. The Swiss are imposing 
standards for handing over bank data on a case-by-case basis. This will only continue to become more stringent. 

Following the introduction of the US Patriot Act, the laws against money laundering have been strengthened. There are 
increased penalties and access to data has been mandated in many cases. One of the issues that has led to these changes 
was the same that resulted in a US government a fine of $100 million imposed against UBS. When US soldiers in Iraq 
uncovered many hundred of million dollars in illegitimate cash concealed in the walls of Saddam Hussein's palaces, they 
were able to trace this back to funds managed by UBS. Tax crimes and fraud are only one aspect of this.

All of this is related to access to data. Hiding data does not privacy make. 

Freedom as is being touted blooms best without corruption. Corruption grows in the dark. (my newsbyte :)

"But those are just bits on a platter."
Now I see an argument from reductionism. Again flawed.

We are just atoms and energy arranged into a recognisable structure (as is a hard drive). The reduction argument fails 
as all things reduce to the same matter.

"The means to freedom is resistance to tyranny, whenever feasible."
Great newsbyte, flawed argument. What has been called the "sunshine principle" is in-fact a constituent of freedom. You 
of course have the "tyranny of the masses" with democracy. Where does the argument end?

And to the original issue.

The police do not need to find abused children to prosecute child porn. In fact, many jurisdictions treat simulated CP 
as criminal.

"What was presented, and what I was defending, was a specific technique
for keeping data secure."
What you touted was destruction of evidence. First, it is not a method that works 100% of the time, next it is a crime 
in most jurisdictions. As such, the response is a promotion of criminal actions.

Cutting an SD card DOES NOT make data unrecoverable.
Heating it may or may not destroy data (this is down to luck)

In either case, you compound the issue, not fix it.

On top of this, "cat /dev/urandom > /dev/sda1" is a wipe. This is a way of destroying data. That is from all eyes.

I would not place so much faith in not being able to determine the difference of a pseudo write and a good encryption 
algorithm. You may just happen to find that repeated runs of /dev/urandom from the same system has heteroscadestic 
properties that can be correlated. You may just find that entropy calculations can help determine the distinction of 
psudeo-random and encrypted data.

...
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
Information Defense Pty Ltd



-----Original Message-----
From: Kurt Buff [mailto:kurt.buff () gmail com] 
Sent: Saturday, 21 March 2009 5:52 AM
To: craig.wright () information-defense com
Cc: security-basics () securityfocus com
Subject: Re: Judge orders defendant to decrypt PGP-protected laptop - CNET News

Ah.

You want a serious argument.

While I'm grateful for the historical review, I've read Conquest and
many others, including the several books by a Soviet defector whose
name escapes me at the moment - Viktor something, who described the
GRU and other Soviet agencies. I have some vague inkling of what true
repression is about.

But mine is not a slippery slope argument. As free individual, my data
is *my* data. If they can bludgeon it out of me, that's damned
unfortunate, but it's a consequence of living in the real world. My
right to my data, including who I share it with, is absolute.

What was presented, and what I was defending, was a specific technique
for keeping data secure. Risk of consequences must be judged by the
actor.

Getting back to the specifics of the case that started this thread,
the supposition is that he's hiding child porn. Bummer. Despicable,
even. But those are just bits on a platter.

If the police want to prosecute something, let them do their work, and
find the abused children, and make their case for real.

And really, the debate, as we've shown, isn't about child porn, it's
about hiding data beyond the reach of authorities.

The means to freedom is resistance to tyranny, whenever feasible.

Kurt

On Fri, Mar 20, 2009 at 03:21, Craig S. Wright
<craig.wright () information-defense com> wrote:
> Slippery slope arguments as to how bad it can get such as this are inherently flawed.
>
> True, you are playing a different game with some groups (and the KGB stopped existing well over a decade ago and I 
> would think you mean "SMERrt SHpionam" for what you are implying as the group in the former Soviet bloc countries). 
> KGB, Komitet Gosudarstvennoy Bezopasnosti (Committee for State Security) was a state police force (in the 
> real-non-bond world) and as a suspected individual not of a civil bent (i.e. not Russian) you would likely face the 
> Glavnoye Razvedyvatelnoye Upravleniye (GRU) - sorry Bond has it wrong (that is, the KGB and Jimmy Bond are a bad mix).
>
> The GRU (which roughly means the Chief Intelligence Directorate of the General Staff) would have you directed to the 
> Fifth Department for electronic intelligence collection under the: Radio Intelligence Regiment communications 
> intercept (SIGINT) regiment. This is under a presumption that a key exists. This is if you can show an out. That is 
> you have NOT destroyed it.
>
> Had you gone about destroying data, this would have you moved from the Fifth Department to the Third Department 
> (Spetsnaz). Spetnaz was responsible for psychological interrogation. Trust me, the third was not a choice you would 
> have made with foreknowledge. The fifth was a better option. Both may be a desent into Dante's lower circle, but the 
> 5th is the outer ring whereas the 3rd would see a visit with Judas). (Both in the Fifth Directorate for 
> clarification).
>
> The issue is that encryption itself is illegal. Your destroying the key will make it worse, but you are fooling 
> yourself if you think this an aide in such a regime.
>
> So as for your "different game" - you are correct in asserting it as a different game. However, what you have missed 
> is that by destroying evidence in this scenario, you have NOT found a means to freedom.
>
> ...
> Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
> Information Defense Pty Ltd
>
>
> -----Original Message-----
> From: Kurt Buff [mailto:kurt.buff () gmail com]
> Sent: Friday, 20 March 2009 12:08 PM
> To: Craig S Wright
> Cc: security-basics () securityfocus com
> Subject: Re: Judge orders defendant to decrypt PGP-protected laptop - CNET News
>
> Under normal circumstances, you are correct.
>
> However, when dealing with the rough (!) equivalent of the KGB, Stasi,
> whatever, you're playing a different game.
>
> Just saying.
>
> Kurt
>
> On Thu, Mar 19, 2009 at 17:04, Craig S Wright
> <craig.wright () information-defense com> wrote:
> > 10 years plus The original charge or even more
> >
> > Basically the jury can be instructed to treat the destroyed evidence as
> > containing the most highly incriminating evidence possible.
> >
> > It is never better to destroy evidence
> >
> > Sent from my iPhone
> >
> > On 20/03/2009, at 10:23, Kurt Buff <kurt.buff () gmail com> wrote:
> >
> > > While true, the penalty for doing this may be much less than the
> > > penalty that would be imposed if the data is sufficiently
> > > embarrassing.
> > >
> > > Kurt
> > >
> > > On Thu, Mar 19, 2009 at 14:01, Craig S Wright
> > > <craig.wright () information-defense com> wrote:
> > > > The intentional destruction of evidence is a crime.
> > > >
> > > > US law varies by state, but as an example, Australian federal law and
> > > > Victorian state law would make this a criminal act that would itself be
> > > > punished and also result in an instruction for the jury to treat the now
> > > > unaccessable evidence as holding definstive proof of what you are being
> > > > checked for in the first place.
> > > >
> > > > Your strategy makes you a criminal. It does not gain any benifit.
> > > >
> > > > Regards,
> > > > Dr. Craig S Wright LLM. GSE-Malware...
> > > >
> > > > On 18/03/2009, at 20:04, Aarón Mizrachi <unmanarc () gmail com> wrote:
> > > >
> > > > > On Sábado 07 Marzo 2009 18:14:51 Shailesh Rangari escribió:
> > > > > > Steve,
> > > > > >
> > > > > > I agree that their is a real possibility that a said user may forget
> > > > > > the password owing to numerous reasons,
> > > > > > But I am not aware of any technique that can prove beyond a reasonable
> > > > > > doubt that the user has really forgotten his password or is pretending
> > > > > > it to avoid a sentence.
> > > > > > Seems like the case is bound to set a precedent in the interpretation
> > > > > > of this law. Any which ways it would be worthwhile to observe whether
> > > > > > the US courts follow a similar course of action as their UK
> > > > > > counterparts.
> > > > >
> > > > > two factor authentication with micro-sd memory card that you preserve
> > > > > all
> > > > > the
> > > > > time with you, and can be eated when you feel angry, or can be
> > > > > incinerated
> > > > > if
> > > > > you smoke it on a cigar, or simply drop it. this sd memory card will
> > > > > contain
> > > > > bootstrap and encrypted key for two-factor cypher.
> > > > >
> > > > >
> > > > >
> > > > > http://upload.wikimedia.org/wikipedia/commons/8/8a/Cigar_tube_and_cutter.jpg
> > > > > (Over 200 celsius degrees!!!)
> > > > >
> > > > > Then, the hardrive will only contain: RANDOM DATA.
> > > > >
> > > > > This is plausible?, this could be insulting for the judge, but, you must
> > > > > allegate that before the raid, you do an "cat /dev/urandom > /dev/sda1"
> > > > > for a
> > > > > mantainance pourporse from a live cd... (i really didit before sell my
> > > > > harddrive to prevent credit card and other private info leakeage).
> > > > >
> > > > > Look at:
> > > > >
> > > > > http://www.guardian.co.uk/technology/2009/jan/08/hard-drive-security-which
> > > > >
> > > > > This is plausible. You didn't consider your hard-drive as evidence
> > > > > before
> > > > > the
> > > > > judge starts, because you never didit anything barely legal.
> > > >
> > > > ------------------------------------------------------------------------
> > > > This list is sponsored by: InfoSec Institute
> > > >
> > > > Find the source of cybercrime! Almost every crime today involves a
> > > > computer
> > > > or mobile device. Learn how to become a Computer Forensics Examiner in
> > > > InfoSec Institute's hands-on Computer Forensics Course. Up to three
> > > > industry
> > > > recognized certs available, online computer forensics training available.
> > > > http://www.infosecinstitute.com/courses/computer_forensics_training.html
> > > > ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------