Sophos Cloud Optix
A British man already in jail for terrorist activity was given another four months for refusing to give police the password to a memory stick that they couldn’t crack.
According to The Register, Judge Richard Marks QC sentenced Syed Hussain, 22, from Luton, for refusing to give up his password, contrary to section 53 of the Regulation of Investigatory Powers Act 2000 (RIPA), the UK’s wiretapping law.
The encrypted memory stick had been seized from Hussain’s home during an April 2012 counter-terrorism operation.
Hussain and three other men were jailed in 2012 after they admitted to discussing an attack on a local Territorial Army base headquarters.
They had planned to send a homemade bomb to their targeted site via a remote controlled toy car, but the men were arrested before the attack could be carried out.
Hussain’s lawyers insisted that he couldn’t remember the password to the memory stick, citing stress as the cause of his memory lapse.
He kept up the “I forgot because I’m so stressed” argument for 11 months.
During that time, police called in experts from GCHQ, the government’s intelligence agency, but even they couldn’t get at the stick’s contents.
So police and prosecutors set a deadline: they gave Hussain until last January to cough up the password.
Then, 11 months after the deadline came and went, police told the convicted man’s lawyers that they’d launched a fresh investigation: this one into alleged credit card fraud by Hussain.
That seemed to jolt Hussain’s memory. Within days, he handed over the password.
It was “$ur4ht4ub4h8”, which the Register reports is a play on words relating to a chapter of the Koran.
When police used the password to unlock the contents of the memory stick, they found it held information relevant to the investigation into alleged fraud, but nothing relating to terrorism or national security.
Image of USB stick courtesy of Shutterstock.
I hope it is as I thought, and a way for him to avoid larger jailtime.
Seriously? So you can now be sentenced for not supplying the authorities with the evidence they need to convict you..?!
If there is nothing on there to incriminate him (even on unrelated charges) then why is he refusing to give the password? If you have nothing to hide, prove it!
“If you have nothing to hide, prove it!”! No, Karl, No! The law in this country is that your innocent till proven guilty. The accused does not have to prove his innocence.
It is more like not telling them where the money is hidden after robbing a bank.
That’s been the case in law of many countries for a very long time.
Yes you can. As I said in a previous post, he should have put the wrong password in 9 times before he got to the airport. If confronted, give the authorities the bogus password for the 10th attempt. Then the thumbdrive would wipe itself automatically and he could claim there never was any data on it.
I very much doubt anyone cracking the USB stick password would use the exact device, they would use an image of the device instead. Not only would this preserve the evidence, it would also enable numerous crack attempts to be performed.
Thank you for an informative blog. This has highlighted the importance of securing our information. For the ordinary Jo blog, securing ones data can prove difficult if it falls in the hands of the wrong person.
No mention of which encryption it was that GCHQ couldn’t even crack? After this last 12 months’ revelations I’m sure more than a few readers would be interested to hear what it was, especially with such a moderate password.
Absolutely! What encryption was used?
I believe it was more the selection of password than the actual encryption.
The printable ASCII table values are from 0x20 to 0x7E. That means there are 0x5F or 95 possible choices for each character in the password. Hussain’s password contained 12 characters.
To the run the full gamut of possibilities would require 540,360,087,662,636,962,890,625 (95 to the power of 12) attempts. If they could try a billion combinations per second it would take them more that 17 million years to break it.
Add to problem by knowing which encryption program was used plus the length of the password.
I would appreciate it if someone would verify my math and logic.
Thus dealing a harmful blow to the urban myth that the government/police/whoever can just virtually snap their fingers and automagically decrypt anything.
This was in the UK, not the USA 😉
Did he say anything about USA? o.O
I suppose it is good to know that USB encryption is good enough to be beyond the capabilities of GCHQ. It makes a good case for making sure your USB memory sticks are encrypted.
It would be handy to know what form of encryption was used. But I guess the police and GCHQ are not going to tell us, because it makes their job harder, and yet at the same time, the Government is trying to persuade small businesses to do better on security.
This somewhat highlights the dilemma – in order to keep cybercrime down, we need good encryption, but at the same time, not good enough that the authorities can’t break it.
That’s why you end up having gov’t organizations introduce backdoor channels into popular encryption methods. I am looking at you RSA…
Or, alternatively, that this particular individual was a low value target not worthy of confirming a (thus far) unconfirmed capability.
If he had been found innocent of the terrorist crime could/would he still have been sentenced for the password crime?
While we have been admonished through these discussions to strongly protect ourselves against on-line hackers we are now seeing that another level of security is necessary…that of being able to camouflage the protected data against even being detected.
The government has become the ultimate hacker by using laws to succeed where technology has failed them.
I am not surprised by this as the safety of thousands depend on the security services having access to any and all information required. seriously though 4 months is a joke he should have got a minimum of 2 years on top of his sentence. Harsh I know but necessary for the safety of the population
I don’t get this. He gets extra ‘time’ for refusing to the give the PW, yet he gives the PW?
BTW There’s a ‘Paul Anderson’ automatic spammer in the comments. Update your spam filter 😉
For some reason, I find it somewhat implausible that GCHQ couldn’t crack a flash drive password. Letters, numbers and only one ‘special’ character? It might take a while though.
About 2000 years on a normal desktop PC so give and take 2 years with enormous computing power, then again…it could take eons if you have no idea of the length of the password, even if its done with dedicated ASICS.
This makes no sense whatsoever. Look at what we’re told….
–When under suspicion of terrorism, he refused to give up his password to info that has nothing to do with terrorism.
–When under suspicion of fraud, he now gives up the password that offers info that will convict himself of fraud.
Really?!
Not bloody likely! If you believe this, you need to check your leg length….
.
Errr, perhaps the logic is like this.
He knows he’s getting busted for terrorism anyway. If he gives up the password, they’ll bust him for fraud too. But if he doesn’t, perhaps they’ll just go, “OK, it’s related to the terrorism stuff,” hit him with the no-password charges, and when he gets out the fraud will still be his little secret.
So he figures an extra four months for the password intransigence…maybe that’s less than the fraud tariff would be, so he keeps his silence.
But then they come at him with the fraud stuff anyway, presumably on account of other evidence he didn’t know they had. Maybe it’s the same stuff he had on the key, acquired from another source. So he doesn’t need to keep the key secret any more, therefore it’s no longer worth it to withold the password. Giving it up melts those extra four months for not revealing it, but doesn’t add anything much to his fraud problems.
hillarious… police found “nothing relating to terrorism or national security”…hello? the password itself!
can someone tell me what happens if you genuinely forget your password to a locked file? I have many that I have simply lost or forgotten – some for valuable things too (well they were about 10 years ago) but I cannot be bothered to really worry about them. If I were the subject of an investigation what would happen?
There’s some discussion of that in a similar sort of case we wrote about here:
http://nakedsecurity.sophos.com/2014/07/07/student-jailed-for-refusing-to-hand-over-password-to-police/