* john (jee@???) wrote:
> On Wednesday 21 November 2007 18:09:09 Vic wrote:
> > > There are crypto programs which use 100 random character passwords (each
> > > character using 250 characters of the ASCII character set). The
> > > passwords are in a file which is encrypted. If the file gets damaged you
> > > lose your passwords.
> > >
> > > There is no way you can remember the password. The programs have been
> > > designed this way.
> > >
> > > Can give a demo of such a crypto program.
> >
> > You miss the point.
> >
> > It's not the difficulty of remembering the key that matters.
> >
> > It's not whether you store the key in your head or in a key-safe programme.
> >
> > The salient point is that if you do not surrender the key to the
> > authorites on demand, or else provide a cleartext version[1] of the
> > encrypted lump, they can send you to prison.
> >
> > The way you generate your keys has little importance in comparison to the
> > loss of your liberty *just because some plod thinks something might be an
> > encrypted file, even if it's not*. Failure to decrypt something that
> > cannot be decrypted (because it is just rubbish - not an encrypted file at
> > all) is a criminal offence under RIPA. Don't think they won't use those
> > powers...
> >
> > Vic.
> >
> >
> > [1] Quite how the Police Farce are going to prove that some random text is
> > unrelated to the encrypted lump is beyond me; I expect it's down the the
> > defendant to prove his innocence again, though.
>
> On Wednesday 21 November 2007 18:09:09 Vic wrote:
> > > There are crypto programs which use 100 random character passwords (each
> > > character using 250 characters of the ASCII character set). The
> > > passwords are in a file which is encrypted. If the file gets damaged you
> > > lose your passwords.
> > >
> > > There is no way you can remember the password. The programs have been
> > > designed this way.
> > >
> > > Can give a demo of such a crypto program.
> >
> > You miss the point.
> >
> > It's not the difficulty of remembering the key that matters.
> >
> > It's not whether you store the key in your head or in a key-safe programme.
> >
> > The salient point is that if you do not surrender the key to the
> > authorites on demand, or else provide a cleartext version[1] of the
> > encrypted lump, they can send you to prison.
> >
> > The way you generate your keys has little importance in comparison to the
> > loss of your liberty *just because some plod thinks something might be an
> > encrypted file, even if it's not*. Failure to decrypt something that
> > cannot be decrypted (because it is just rubbish - not an encrypted file at
> > all) is a criminal offence under RIPA. Don't think they won't use those
> > powers...
> >
> > Vic.
> >
>
> No I have not missed the point. If the key is unavailable because it has been
> deleted and the key is 100 random characters long then the authorities cannot
> expect you to produce something that is impossible to give them.
>
> It is up to you to show the judge and a jury how a password was produced. It
> is up to you to show a judge and jury that the passwords that your program
> uses is impossible to remember. If the password produced demonstrates to a
> jury that it is something impossible to remember then you are halfway there.
>
> The law deals with intent. The law is required to show that you deliberately
> deleted your password file. If your password file was screwed by a program
> hipcup accidently. This is easily done by pressing wrong keys and answering
> the phone at the same time. Then the law must prove that you deliberately
> deleted the file. The laws forensic expert must show that the file was
> deleted at a time frame when the computer was being in the process of being
> seized.
>
> The law is designed to deal with passwords or pass phrases that can be
> remembered. So a forty character pass phrase can be remembered and the law
> can claim you are being untruthful for not remembering it. The law has a
> good point.
>
> Passwords that are impossible to remember has to be subject to a different
> law. This law is not on the statute books yet. English law deals with the
> letter of the law.
>
> The law must prove a criminal offence. Human Rights law comes in here. False
> imprisonment is a subject of human rights violations. You are entitled to
> have your own computer forensic expert to show that what is present is random
> data and not an encrypted file.
>
> Simarly the law have their expert who has to prove that what you have is an
> encrypted file and not a random data file. Intent is again the key.
>
> Needless to say you will need an expensive solicitor to argue the case for you
> in court.
>
> Human Rights law would be on your side in this matter. Again another
> expensive solicitor.
>
> If you have the computer programs which can demonstrate what you say and your
> expert can show this in a manner that a jury can understand then the jury
> will find you not guilty of breaking the law. For it is a jury who decide in
> these matters.
>
> The law says that it must be beyond resonable doubt.
>
> The law does not require you to keep all the files you have every produced.
>
> I cannot afford to ask for a barristor's opinion on this. Is there anyone in
> the LUG who is a barristor and can elaborate further on this topic?
>
> Many peoples knowledge of crypto programs are quite rudimentry and tend to
> think along the lines of the programs they know. Bruce Schneier can probably
> think of a few programs which the RIPA law will have problems handling.
> http://www.schneier.com/crypto-gram.html has an archive of back issues of
> CRYPTO-GRAM. Bruce Schneier has also discused this laws failings in one of
> the issues.
>
> John Eayrs
On the one occasion when I was in a court (as an observer), it was
quite frightening to listen to the two barristers and judge discuss
major evidence in the form of a report from the police computer
expert. Not one of them had a clue what the report said, and they
simply pulled random figures and quotes.
As they were discussing a point of law, they did this without the
jury present. In the end, they proceeded with the trial without
using the report from the police computer expert. After, I was able
to read the report myself, and was amazed at how much information it
contained that both barristers and judge had obviously not
comprehended.
So although the jury do decide, as you say, they can only decide
based on the information that is presented to them. When both
barristers and judge don't understand that information, and
therefore allow it to be omitted, then the jury can't really be
expected to do a proper job.
--
Philip Stubbs
http://www.stuphi.co.uk
