Jailed terrorist gets extra time for refusing to divulge USB stick password

Filed Under: Cryptography, Featured, Law & order

USB stick. Image courtesy of Shutterstock.A British man already in jail for terrorist activity was given another four months for refusing to give police the password to a memory stick that they couldn't crack.

According to The Register, Judge Richard Marks QC sentenced Syed Hussain, 22, from Luton, for refusing to give up his password, contrary to section 53 of the Regulation of Investigatory Powers Act 2000 (RIPA), the UK's wiretapping law.

The encrypted memory stick had been seized from Hussain's home during an April 2012 counter-terrorism operation.

Hussain and three other men were jailed in 2012 after they admitted to discussing an attack on a local Territorial Army base headquarters.

They had planned to send a homemade bomb to their targeted site via a remote controlled toy car, but the men were arrested before the attack could be carried out.

Hussain's lawyers insisted that he couldn't remember the password to the memory stick, citing stress as the cause of his memory lapse.

He kept up the "I forgot because I'm so stressed" argument for 11 months.

During that time, police called in experts from GCHQ, the government's intelligence agency, but even they couldn't get at the stick's contents.

So police and prosecutors set a deadline: they gave Hussain until last January to cough up the password.

Then, 11 months after the deadline came and went, police told the convicted man's lawyers that they'd launched a fresh investigation: this one into alleged credit card fraud by Hussain.

That seemed to jolt Hussain's memory. Within days, he handed over the password.

It was "$ur4ht4ub4h8", which the Register reports is a play on words relating to a chapter of the Koran.

When police used the password to unlock the contents of the memory stick, they found it held information relevant to the investigation into alleged fraud, but nothing relating to terrorism or national security.

Image of USB stick courtesy of Shutterstock.

, , ,

You might like

26 Responses to Jailed terrorist gets extra time for refusing to divulge USB stick password

  1. Anonymous · 88 days ago

    I hope it is as I thought, and a way for him to avoid larger jailtime.

  2. Mike A · 88 days ago

    Seriously? So you can now be sentenced for not supplying the authorities with the evidence they need to convict you..?!

    • Karl · 88 days ago

      If there is nothing on there to incriminate him (even on unrelated charges) then why is he refusing to give the password? If you have nothing to hide, prove it!

      • 4caster · 87 days ago

        "If you have nothing to hide, prove it!"! No, Karl, No! The law in this country is that your innocent till proven guilty. The accused does not have to prove his innocence.

    • Blake · 88 days ago

      It is more like not telling them where the money is hidden after robbing a bank.

    • Anonymous · 88 days ago

      That's been the case in law of many countries for a very long time.

    • Randy · 88 days ago

      Yes you can. As I said in a previous post, he should have put the wrong password in 9 times before he got to the airport. If confronted, give the authorities the bogus password for the 10th attempt. Then the thumbdrive would wipe itself automatically and he could claim there never was any data on it.

      • Anonymous · 88 days ago

        I very much doubt anyone cracking the USB stick password would use the exact device, they would use an image of the device instead. Not only would this preserve the evidence, it would also enable numerous crack attempts to be performed.

  3. Paul Anderson · 88 days ago

    Thank you for an informative blog. This has highlighted the importance of securing our information. For the ordinary Jo blog, securing ones data can prove difficult if it falls in the hands of the wrong person.

  4. Rainmaker · 88 days ago

    No mention of which encryption it was that GCHQ couldn't even crack? After this last 12 months' revelations I'm sure more than a few readers would be interested to hear what it was, especially with such a moderate password.

    • helper · 88 days ago

      Absolutely! What encryption was used?

      • Victor L-S · 88 days ago

        I believe it was more the selection of password than the actual encryption.

        The printable ASCII table values are from 0x20 to 0x7E. That means there are 0x5F or 95 possible choices for each character in the password. Hussain's password contained 12 characters.

        To the run the full gamut of possibilities would require 540,360,087,662,636,962,890,625 (95 to the power of 12) attempts. If they could try a billion combinations per second it would take them more that 17 million years to break it.

        Add to problem by knowing which encryption program was used plus the length of the password.

        I would appreciate it if someone would verify my math and logic.

  5. Matt · 88 days ago

    Thus dealing a harmful blow to the urban myth that the government/police/whoever can just virtually snap their fingers and automagically decrypt anything.

  6. TonyG · 88 days ago

    I suppose it is good to know that USB encryption is good enough to be beyond the capabilities of GCHQ. It makes a good case for making sure your USB memory sticks are encrypted.

    It would be handy to know what form of encryption was used. But I guess the police and GCHQ are not going to tell us, because it makes their job harder, and yet at the same time, the Government is trying to persuade small businesses to do better on security.

    This somewhat highlights the dilemma - in order to keep cybercrime down, we need good encryption, but at the same time, not good enough that the authorities can't break it.

    • Anonymous · 88 days ago

      That's why you end up having gov't organizations introduce backdoor channels into popular encryption methods. I am looking at you RSA...

    • Or, alternatively, that this particular individual was a low value target not worthy of confirming a (thus far) unconfirmed capability.

  7. Victor L-S · 88 days ago

    If he had been found innocent of the terrorist crime could/would he still have been sentenced for the password crime?

    While we have been admonished through these discussions to strongly protect ourselves against on-line hackers we are now seeing that another level of security is necessary...that of being able to camouflage the protected data against even being detected.

    The government has become the ultimate hacker by using laws to succeed where technology has failed them.

  8. Andrew · 88 days ago

    I am not surprised by this as the safety of thousands depend on the security services having access to any and all information required. seriously though 4 months is a joke he should have got a minimum of 2 years on top of his sentence. Harsh I know but necessary for the safety of the population

  9. Jan Doggen · 88 days ago

    I don't get this. He gets extra 'time' for refusing to the give the PW, yet he gives the PW?

    BTW There's a 'Paul Anderson' automatic spammer in the comments. Update your spam filter ;-)

  10. For some reason, I find it somewhat implausible that GCHQ couldn't crack a flash drive password. Letters, numbers and only one 'special' character? It might take a while though.

    • Dogbreath · 88 days ago

      About 2000 years on a normal desktop PC so give and take 2 years with enormous computing power, then again...it could take eons if you have no idea of the length of the password, even if its done with dedicated ASICS.

  11. Scribblerlarry · 88 days ago

    This makes no sense whatsoever. Look at what we're told....
    --When under suspicion of terrorism, he refused to give up his password to info that has nothing to do with terrorism.
    --When under suspicion of fraud, he now gives up the password that offers info that will convict himself of fraud.

    Really?!

    Not bloody likely! If you believe this, you need to check your leg length....
    .

    • Paul Ducklin · 88 days ago

      Errr, perhaps the logic is like this.

      He knows he's getting busted for terrorism anyway. If he gives up the password, they'll bust him for fraud too. But if he doesn't, perhaps they'll just go, "OK, it's related to the terrorism stuff," hit him with the no-password charges, and when he gets out the fraud will still be his little secret.

      So he figures an extra four months for the password intransigence...maybe that's less than the fraud tariff would be, so he keeps his silence.

      But then they come at him with the fraud stuff anyway, presumably on account of other evidence he didn't know they had. Maybe it's the same stuff he had on the key, acquired from another source. So he doesn't need to keep the key secret any more, therefore it's no longer worth it to withold the password. Giving it up melts those extra four months for not revealing it, but doesn't add anything much to his fraud problems.

  12. ER · 88 days ago

    hillarious... police found "nothing relating to terrorism or national security"...hello? the password itself!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.