Constitutional showdown voided: Feds decrypt laptop without defendant's help

[Mirrorshades]

Constitutional showdown voided: Feds decrypt laptop without defendant's help
By David Kravets February 29, 2012

http://arstechnica.com/tech-policy/...t-defendants-help.ars?comments=1#comments-bar

Colorado federal authorities have decrypted a laptop seized from a bank-fraud defendant, mooting a judge?s order that the defendant unlock the hard drive so the government could use its contents as evidence against her.

The development ends a contentious legal showdown over whether forcing a defendant to decrypt a laptop is a breach of the Fifth Amendment right against compelled self incrimination.

The authorities seized the encrypted Toshiba laptop from defendant Ramona Fricosu in 2010 with valid court warrants while investigating alleged mortgage fraud, and demanded she decrypt it. Colorado U.S. District Judge Robert Blackburn ordered the woman in January to decrypt the laptop by the end of February. The judge refused to stay his decision to allow Fricosu time to appeal.

?They must have used or found successful one of the passwords the co-defendant provided them,? Fricosu?s attorney, Philip Dubois, said in a telephone interview Wednesday.

He said the authorities delivered to him Wednesday a copy of the information they discovered on the drive. Dubois said he has not examined it.

The development comes a week after a federal appeals court ruled in a separate case that forcing a criminal suspect to decrypt hard drives so their contents can be used by prosecutors is a breach of the Fifth Amendment right against compelled self-incrimination.

It was the nation?s first appellate court to issue such a finding. The Supreme Court has never dealt directly with the issue.

The decision by the 11th U.S. Circuit Court of Appeals said that an encrypted hard drive is akin to a combination on a safe, and is off limits, because compelling the unlocking of either of them is the equivalent of forcing testimony.

Judge Blackburn, however, was not legally bound to follow that precedent, because he sits in the circuit covered by the 10th U.S. Circuit Court of Appeals, which had refused to review his decision.

The woman and her ex-husband co-defendant, Scott Whatcott, are accused of filing fraudulent documents to obtain home titles and selling the houses without paying the mortgage. Dubois believes Whatcott supplied the password to the police.

Dubois had suggested in an earlier interview that Fricosu may have forgotten the password, and faced potential contempt charges had she not decrypted the hard drive by Wednesday.

Lessons Learned:

1) Never share your passwords with ANYONE, even your wife, husband (or partner).

2) Never re-use passwords, ever.

3) Use an encrypted password manager program to help generate and store your passwords.

4) Protect your stored password database with a strong passphrase -- I recommend using Diceware. 8-10 words should be sufficient. See http://www.diceware.com/

5) Memorize your passphrase -- don't write it down anywhere -- keep it where it belongs, only in your head.

6) If at all possible, use full-disk encryption.

The reason for this is, if your computer is ever seized and examined, the forensic examiners will use software to scour your drive looking for keywords to construct a custom database of terms that they will use in an attempt to crack open any encrypted drives/files they come across. If the entire disk is encrypted, they can't:

1) Boot your computer without the passphrase;

2) They also cannot transfer your drive to another machine, to examine it there; they also can't run another operating system (e.g. a Live Linux distro) to use that to mount the drives. This is a technique that if frequently used to by-pass WIndows file permissions. Windows may not let an investigator into certain files, but Linux doesn't pay attention to Windows file/folder permissions.

The heart of the problem is, people are lazy, and all too often, they fail to use appropriate password/passphrase discipline. People will do things like use the names of pets, former spouses, hometowns, nicknames, things related to hobbies etc. as passwords. Investigators know this, and they will learn all they can about you and your background to build-up a list of such things that they can use to help break your security. In one case where a man's computer was seized, the man was a motorcycle fanatic -- they used a dictionary of motorcycle-related terms to crack open his encrypted files. Similarly, a man in England was an equine enthusiast. His password was discovered to be an obscure term related to a part of a horse's tack (the stirrup).

What appears to have happened in the Fricosu case, is that she must have given her password/passprhase to her husband, who was also indicted. The Feds pressured him to give it up. Don't share your passphrase with ANYONE -- that includes, your spouse, your kids, your best friend. If Fricosu hadn't given her hubby her password, he would never have had it to give up.

That is why using something like Diceware to generate a passphrase for your password database, and your PGP keyrings is SO important. If you follow the instructions, even if the authorities KNOW that you were using Diceware, they still can't determine your passphrase.

With respect to item 5) I would add one caveat -- it is ok to write down your passphrase, but only keep it written down for as long as it takes to commit it to memory.

Mirrorshades