in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software Leads To Jail Time For UK Schizophrenic

A UK man has been sentenced to nine months in jail for not revealing the password to his encrypted data.  This was authorized under Part III of the Regulation of Investigatory Powers Act (RIPA), which makes it an offense not to reveal passphrases to information protected with encryption software like AlertBoot.

While such a move would normally stir arguments in of itself--in the US, as far as I know, you can't be jailed for not revealing your passwords...something about the right not to incriminate yourself--further controversy has been added because the man suffers from schizophrenia.  Or at least, that's the claim of The Register.  It's known that the man had a mental condition, but they are the first to report the actual condition this man suffers from.

Regulation of Investigatory Powers Act

RIPA went into effect on October 2007.  Under Part III of RIPA,

"...a suspect [is given] a time limit to supply encryption keys or make target data intelligible. Failure to comply is an offence under section 53 of the same Part of the Act and carries a sentence of up to two years imprisonment, and up to five years imprisonment in an investigation concerning national security."

The law was passed in order combat terrorism and other serious crimes.  There was an outcry then, and there is an outcry now over this law.  As some have pointed out, this latest incidence won't lead to more supporters.

The clichéd reasoning behind justifying such a law is, if you've got nothing to hide, decrypting any protected information for the authorities to inspect is not a problem.  (The technical reason for such a law?  With modern technology, it's become nearly impossible to crack an encryption program.)

On the other side are the ones arguing, well, forget about unreasonable searches and the right not to incriminate oneself (perfectly valid concerns in any democratic state), what if you honestly don't remember the password?  If you're in the habit of encrypting a design for the world's best toaster-oven because you're afraid of industrial espionage, and happen to forget the password to unlock it...should you go to jail for it?  Just because some guy at the airport thinks you're suspicious-looking?  After all, this airport security-guy may think, quite correctly, it's encrypted data, so it could be anything.

Who's in the right?  Probably both sides.  On this particular case, though, I'd probably side with the "unreasonable search" crowd.  If you read The Register's account, it's quite clear that the police had nothing on this guy.  Ultimately, he was charged with not cooperating with the police and other related matters.

Encryption Cracked?

There was one thing of note to me, personally.  From The Register's article: "One file encrypted using software from the German firm Steganos was cracked, but investigators found only another PGP container."

Per Steganos's website, they only seem to have one file encryption product: Steganos Safe.  And, the encryption algorithm behind it is AES-256.  Either the investigators above got extremely lucky or what they managed to do is correctly guess at the password that gives access to the encrypted information (which, actually, also requires a certain degree of luck as well).

This is not Steganos's fault.  All encryption programs, even AlertBoot, will fall to brute-force attacks (where passwords are guessed at, again and again) if a short or easy-to-guess password is used to secure access to encrypted data.

(And, the case illustrates the fact that encryption, in fact, does work: notice how the product from PGP could not be accessed.  It probably also used AES-256; my guess, though, is that our jailed guy didn't use the same password, so the authorities came to a dead end.  Hence the arrest and incarceration.)


Related Articles and Sites:
http://www.theregister.co.uk/2009/11/24/ripa_jfl/print.html
http://www.geek.com/articles/news/uk-man-jailed-for-failing-to-surrender-passwords-20091125/
http://www.steganos.com/us/products/data-security/safe/overview/

 
<Previous Next>

Laptop Encryption Software: Whole Of Belize Has Data Breach

Data Encryption Software: Children's Hospital of Philadelphia Loses Laptop Computer

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.