It looks like he refused to reveal the password because he knew it would have incriminated him for something unrelated to the original case. Once they got wind of his other activities, he realised the gig was up and disclosed the password.
From a legal perspective, this is a troubling side-effect of a poorly-crafted law. His lawyer should have had the power to negotiate immunity from prosecution for unrelated charges that might have spurred from disclosure during the original process.
That's the least troubling side of this law. The most troubling thing is that you can now be thrown in prison on no more evidence than the presence of a blob of random data on your computer that the police can just claim is encrypted data that you're refusing to give up.
How interesting that they report an irrelevant hyper-detail (the password itself) but not the specifics of what "sophisticated encryption technology" that "GCHQ ... were unable to crack."
Also interesting that a password based on word-and-number games, an approach that has been criticized lately as vulnerable to new attacks using common password fragments, seems to have flummoxed the pros in this case anyway.
Here's one point that I think should be referenced more prominently, maybe in the headline somehow:
Police accessed the memory stick [as part of a counter-terrorism operation] and found it contained ... nothing relating to terrorism or national security.
That is: We convicted this guy of a crime for obstructing a terror investigation, even though he wasn't actually doing that. We used our special emergency terrorism powers to push someone around and make demands that were potentially impossible, but it turned out to be just another false alarm. Of course, the guy we pushed around is a certified scumbag and he doesn't look like the sort of white-bread upstanding citizen that most readers of the article imagine themselves to be, so we can count on you to not get too worked up about the whole thing.
> Also interesting that a password based on word-and-number games, an approach that has been criticized lately as vulnerable to new attacks using common password fragments, seems to have flummoxed the pros in this case anyway.
If you're talking about the Ars Technica article that showed that crackers are using common passages from books and movies, it's worth nothing that it's not some kind of issue with passphrases, just the construction of them.
It is not a bad thing to use a passphrase (the Ars article implied that by saying "your long password isn't safe either," or something to that effect.) It is a bad thing to use a passphrase that is not randomly constructed. It's just the same for passwords, and, indeed, cryptographic keys.
It's a numbers game. If it's not random, there's a pattern/bias. If there's a bias, an attacker can exploit that. If there's no bias--i.e. the words of a passphrase were truly randomly selected--then there is no method to crack it more effective than brute force.
This was not a special emergency power, this is simply a case of failing to comply with a court order the same as refusing to comply with a search warrant.
There is long-established precedent for compelling the provision of testimony and/or physical evidence within our legal system. Do people seriously think that USB sticks have some special privilege?
If he hadn't've already been convicted of being part of a terrorist cell planning on attacking the nation's infrastructure, I might've cared.
Given that he doesn't share my ideals, or indeed, much like anything i might be open to considering, he can go fuck himself, if you'll excuse my language.
If someone is accused of terrorism (however flimsy the accusation), that's now enough to damn them in your eyes and strip them of their civil rights, that's quite dangerous and open to abuse.
You can now be jailed for withholding a password, without evidence that any crime was committed.
I tried to find where in the article it says anything that might back up "already been convicted of being part of a terrorist cell". The closest I found is where it says: "already in jail for being part of a cell that considered attacking a Territorial Army base in the town.". This sounds a bit like a thought crime to a laymen like me and the verbiage flags my weasel alarm. Also, could you clarify where you're getting the term "nation's infrastructure" because all I saw was: "discussing attacking the town's TA headquarters". If we accuse everyone who's pissed off at the town council / home association and starts talking about blowing them up of terrorism, then we'll need a much bigger prison system.
When people you don't like are prosecuted for a thought crime, or something else you won't like good guys being prosecuted for, you don't care. Bad guys may go to hell no matter what!
When people you do like are prosecuted for technically the same thing, you might start caring, but it might be a bit late then.
A bad law is a bad law, no matter if a bad guy or a bad guy becomes its victim. The law seemingly does not care about your notion of 'good / bad guys'. It's not unlike a contagious disease hitting a bad guy. Not caring about this disease is a poor policy, even if you sincerely wish that bad guy to die. The virus is not going to discriminate.
When you protest about a bad law doing a bad thing to a bad guy, you're not doing it for the benefit of the bad guy (unless you're a saint). You're doing it for the benefit of good guys that risk to be hit with the same bad law.
If you genuinely forget the password for any data you encrypt, you are now (by precedent) committing a jailable offence.
This may extend to holding random data. Since ideal encrypted data is indistinguishable from random: prove that you are not withholding the password. Good luck.
I suspect the point here is more what if you had such a device and really couldn't remember the password. Most people would give slightly more of a fuck going to jail for 4 months for forgetting a password.
That said, if those GCHQ bums can't hack it, put the filesystem raw online and offer 50p and a jar of pickled onions to break it, we like a challenge.
The UK has had some really troubling miscarriages of justice related to terrorism. These were so bad they resulted in reform of the law and additional safeguards for suspects being questioned by police.
Police routinely misuse anti-terrorist laws to harass photographers, and this still happens despite the Met poloce issuing guidance to their officers about not harassing photographers.
People, especially terrorists, need due process of law.
Apt username given this display of judgement and hyperbole.
Please try to remember that the law is blind and is meant to both protect people who do and don't share your ideals. What if some day this law were used against somebody who shares your ideals, what then? Or are you also part of the, "if you've nothing to hide you've got nothing to fear" brigade?
that line is there just to convince you. Anyway the law either applies to everyone or no one, independently of other things other way they will find a way to convict you just to get what they want.
He chose his passwords well it seemed: $ur4ht4ub4h8 It's not entirely impossible to forget that is it? How are you tp prove you did in fact not forget it?
Given the password is relatively simple - remember this is supposed to be one of the premier encryption cracking organizations in the world, GCHQ, here - I think there is a distinct lack of skill (or absence) by GCHQ. He's perhaps being jailed for showing them up.
Alternatively (and more likely I suspect), these is some gamesmanship being played to get shiny new additional super-snooping laws passed because it's needed to cope with all this uncrackable terrorist encryption. See, here's the proof it exists ! [edit: sorry, this did not make it clear I'm suggesting it was cracked but found to be irrelevant to the terrorism case. I've expanded in a reply below.]
The UK already has laws making it an offence to have 'have information' 'which may be of use to anyone planning a terrorist offence'. This is so broadly defined that railway enthusiast pictures of trains could fall into it (and have been questioned under it - http://www.telegraph.co.uk/news/uknews/road-and-rail-transpo...)
The UK's unwritten constitution is not worth the paper it's written on. Unfortunately the US written one seems to be about as useful in protecting peoples rights these days as the UK one. (See previous HN stories of your choice)
How are you tp prove you did in fact not forget it?
Under the Regulation of Investigatory Powers Act 2000[1] it doesn't matter whether you forgot a password or not. Failure to provide it is against the law.
This Act has proved highly controversial for a number of reasons. The potential for fitting someone up by claiming that they aren't disclosing a password that in reality they can't disclose was one of the civil liberties concerns expressed even before the Act was passed.
It seems like there was a reasonable reason to suspect that the drive might contain actual information that was needed for a serious crime, and a proper procedure was followed to get a court order to get at it.
It's like searching your house. The police should not have the ability to simply decide they want to. But if you were already in prison for terrorist related crimes it hardly seems unreasonable to give them the right to do so.
In many ways this is actually good news: GCHQ couldn't crack the drive. As Snowden said, cryptography still works: trust the math. As long as you can bear the consequences (i.e. up to 2 years in jail if the Police thinks you're up to no good), you can safely save data that nobody else will ever read.
I doubt there are many UK lawyers specialising in this niche area of law stalking the HN forums right now. But you never know :)
I wonder if a big part of the reason for his jailing is that he actually did give them the password in the end - making it less likely that he had forgotten it, and that he was deliberately trying to pervert the course of justice.
Of course, it doesn't help that he did seem to have plenty to hide, and he wasn't in a great position anyway.
This guy had been arrested as part of internal terrorism investigations, i.e. the stick was handled by GCHQ. I bet that they can spot a TrueCrypt or similar scheme in a heartbeat (if anything because it's been a refrain in most pseudo-security fora ever since this law was passed). So no, I don't think it would have helped. That sort of deniability is only good for lighter situations.
So now am I supposed to give my passwords for my encrypted bitcoin wallets, and all my banking access codes? And be happy and relaxed when the police tells me that they will not steal anything?
They already have access to your banking data, they won't need your codes. They would probably be entitled to asking for your wallet password, yes.
Of course they can steal your stuff; it happens with physical evidence (fairly routinely, in many areas - do you really think all that sequestered ganja gets destroyed?), so it can happen with digital stuff too. There are laws and rules about this, but no physical impediment afaik.
Not when you are associated with Terrorism. But in a way, yes. As long as you are not associated with terrorism, then you can not be compelled to testify against yourself. I am not a lawyer, but I do remember reading about a case where a judge said the defendant had to give up his password. So in this case, a deniable encryption scheme would probably suffice. Again, not a lawyer.
Except he eventually gave them the password, which means he didn't just 'innocently' forget his password. However, it looks like he was trying to cover up for fraud rather than terrorism, so maybe he decided that guilty fraudster was better than suspected terrorist.
So he was already sentenced for plotting an attack to kill innocent people: http://www.bbc.co.uk/news/uk-22200133 He was responsible for another home made bomb and he is now a convicted thief and fraudster. There was a suspicion another attack is planned, what's horrible about police taking precautions. That's why we have laws - to protect us, and sure in some situations people may be wrongly accused and detained if society's interest is above and suspicion or crime exists but blame criminals who commit the crimes not the law.
[+] [-] toyg|12 years ago|reply
From a legal perspective, this is a troubling side-effect of a poorly-crafted law. His lawyer should have had the power to negotiate immunity from prosecution for unrelated charges that might have spurred from disclosure during the original process.
[+] [-] avar|12 years ago|reply
[+] [-] Lagged2Death|12 years ago|reply
Also interesting that a password based on word-and-number games, an approach that has been criticized lately as vulnerable to new attacks using common password fragments, seems to have flummoxed the pros in this case anyway.
Here's one point that I think should be referenced more prominently, maybe in the headline somehow:
Police accessed the memory stick [as part of a counter-terrorism operation] and found it contained ... nothing relating to terrorism or national security.
That is: We convicted this guy of a crime for obstructing a terror investigation, even though he wasn't actually doing that. We used our special emergency terrorism powers to push someone around and make demands that were potentially impossible, but it turned out to be just another false alarm. Of course, the guy we pushed around is a certified scumbag and he doesn't look like the sort of white-bread upstanding citizen that most readers of the article imagine themselves to be, so we can count on you to not get too worked up about the whole thing.
[+] [-] thirsteh|12 years ago|reply
If you're talking about the Ars Technica article that showed that crackers are using common passages from books and movies, it's worth nothing that it's not some kind of issue with passphrases, just the construction of them.
It is not a bad thing to use a passphrase (the Ars article implied that by saying "your long password isn't safe either," or something to that effect.) It is a bad thing to use a passphrase that is not randomly constructed. It's just the same for passwords, and, indeed, cryptographic keys.
It's a numbers game. If it's not random, there's a pattern/bias. If there's a bias, an attacker can exploit that. If there's no bias--i.e. the words of a passphrase were truly randomly selected--then there is no method to crack it more effective than brute force.
[+] [-] jmackinn|12 years ago|reply
[+] [-] aheilbut|12 years ago|reply
[+] [-] andyjohnson0|12 years ago|reply
[+] [-] exo762|12 years ago|reply
[+] [-] toyg|12 years ago|reply
[+] [-] slashdotaccount|12 years ago|reply
[+] [-] detritus|12 years ago|reply
Given that he doesn't share my ideals, or indeed, much like anything i might be open to considering, he can go fuck himself, if you'll excuse my language.
[+] [-] grey-area|12 years ago|reply
If someone is accused of terrorism (however flimsy the accusation), that's now enough to damn them in your eyes and strip them of their civil rights, that's quite dangerous and open to abuse.
You can now be jailed for withholding a password, without evidence that any crime was committed.
[+] [-] hingisundhorsa|12 years ago|reply
[+] [-] nine_k|12 years ago|reply
When people you don't like are prosecuted for a thought crime, or something else you won't like good guys being prosecuted for, you don't care. Bad guys may go to hell no matter what!
When people you do like are prosecuted for technically the same thing, you might start caring, but it might be a bit late then.
A bad law is a bad law, no matter if a bad guy or a bad guy becomes its victim. The law seemingly does not care about your notion of 'good / bad guys'. It's not unlike a contagious disease hitting a bad guy. Not caring about this disease is a poor policy, even if you sincerely wish that bad guy to die. The virus is not going to discriminate.
When you protest about a bad law doing a bad thing to a bad guy, you're not doing it for the benefit of the bad guy (unless you're a saint). You're doing it for the benefit of good guys that risk to be hit with the same bad law.
[+] [-] ronaldx|12 years ago|reply
If you genuinely forget the password for any data you encrypt, you are now (by precedent) committing a jailable offence.
This may extend to holding random data. Since ideal encrypted data is indistinguishable from random: prove that you are not withholding the password. Good luck.
[+] [-] Joeboy|12 years ago|reply
I am still bothered that I can be sent to jail for being unable to supply a password, even though I don't know or care much about Syed Hussain.
[+] [-] davidjgraph|12 years ago|reply
That said, if those GCHQ bums can't hack it, put the filesystem raw online and offer 50p and a jar of pickled onions to break it, we like a challenge.
[+] [-] Zikes|12 years ago|reply
[+] [-] goatforce5|12 years ago|reply
[+] [-] PaulRobinson|12 years ago|reply
[+] [-] DanBC|12 years ago|reply
Police routinely misuse anti-terrorist laws to harass photographers, and this still happens despite the Met poloce issuing guidance to their officers about not harassing photographers.
People, especially terrorists, need due process of law.
[+] [-] igravious|12 years ago|reply
Please try to remember that the law is blind and is meant to both protect people who do and don't share your ideals. What if some day this law were used against somebody who shares your ideals, what then? Or are you also part of the, "if you've nothing to hide you've got nothing to fear" brigade?
[+] [-] duiker101|12 years ago|reply
[+] [-] digitalengineer|12 years ago|reply
[+] [-] mortov|12 years ago|reply
Alternatively (and more likely I suspect), these is some gamesmanship being played to get shiny new additional super-snooping laws passed because it's needed to cope with all this uncrackable terrorist encryption. See, here's the proof it exists ! [edit: sorry, this did not make it clear I'm suggesting it was cracked but found to be irrelevant to the terrorism case. I've expanded in a reply below.]
The UK already has laws making it an offence to have 'have information' 'which may be of use to anyone planning a terrorist offence'. This is so broadly defined that railway enthusiast pictures of trains could fall into it (and have been questioned under it - http://www.telegraph.co.uk/news/uknews/road-and-rail-transpo...)
The UK's unwritten constitution is not worth the paper it's written on. Unfortunately the US written one seems to be about as useful in protecting peoples rights these days as the UK one. (See previous HN stories of your choice)
[+] [-] girvo|12 years ago|reply
[+] [-] Silhouette|12 years ago|reply
Under the Regulation of Investigatory Powers Act 2000[1] it doesn't matter whether you forgot a password or not. Failure to provide it is against the law.
This Act has proved highly controversial for a number of reasons. The potential for fitting someone up by claiming that they aren't disclosing a password that in reality they can't disclose was one of the civil liberties concerns expressed even before the Act was passed.
[1] https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Po...
[+] [-] callesgg|12 years ago|reply
[+] [-] jbb555|12 years ago|reply
It seems like there was a reasonable reason to suspect that the drive might contain actual information that was needed for a serious crime, and a proper procedure was followed to get a court order to get at it.
It's like searching your house. The police should not have the ability to simply decide they want to. But if you were already in prison for terrorist related crimes it hardly seems unreasonable to give them the right to do so.
This wasn't some random abuse.
[+] [-] toyg|12 years ago|reply
[+] [-] ceeK|12 years ago|reply
[+] [-] adrianoconnor|12 years ago|reply
I wonder if a big part of the reason for his jailing is that he actually did give them the password in the end - making it less likely that he had forgotten it, and that he was deliberately trying to pervert the course of justice.
Of course, it doesn't help that he did seem to have plenty to hide, and he wasn't in a great position anyway.
[+] [-] toyg|12 years ago|reply
[+] [-] Zikes|12 years ago|reply
[+] [-] gonvaled|12 years ago|reply
[+] [-] toyg|12 years ago|reply
Of course they can steal your stuff; it happens with physical evidence (fairly routinely, in many areas - do you really think all that sequestered ganja gets destroyed?), so it can happen with digital stuff too. There are laws and rules about this, but no physical impediment afaik.
[+] [-] nottrobin|12 years ago|reply
[+] [-] warmwaffles|12 years ago|reply
[+] [-] gannimo|12 years ago|reply
[+] [-] JensRantil|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] staticelf|12 years ago|reply
[+] [-] adrianoconnor|12 years ago|reply
[+] [-] _abcd123|12 years ago|reply
[+] [-] hakunamatata|12 years ago|reply
[deleted]
[+] [-] dutchbrit|12 years ago|reply