undefined | Better HN

0 pointshurin10y ago0 comments

> but how much better could anybody here do?

Well, Kim Dotcom is still kicking it.

As for Ross, the evidence might have been circumstantial at best if his un-encrypted notebook wasn't grabbed.

0 comments

Kim Dotcom is "kicking it" about as well as Julian Assange is. It's not like he's hidden somewhere. The authorities know exactly who he is, where he is, how much he owns, and how to get it. They're just sorting out the court procedures to make sure they get all of it.

In any event, Ross was running something somewhat more illicit than Megaupload. His opsec probably should have been commensurately better.

jaryd10y ago

What always gets me is how (in this situation) he would ever operate a laptop that was usable without being plugged in... If he had simply removed the battery and kept the thing plugged then the laptop would have powered off immediately after it was grabbed.

mburns10y ago

That would have been an improvement, but even basic computer forensic gathering knowledge would get around this without trouble. What he needed to do is keep his sensitive files encrypted separately from his laptop login. Like on a USB drive encrypted with GPG and a nice long passphrase.

Even then, the FBI grabbed him with his laptop logged into the management interface for Silk Road... So he still would have been in some hot water.

SamReidHughes10y ago

Maybe. For stuff like the personal notes you're keeping on a criminal conspiracy, a flash drive might be fine. But I'd be very skeptical of storing, say, the PHP source code to the Silk Road on a flash drive or SSD, because the internal data structures of the SSD could leak information about the sizes of individual files. If the feds can recover the sizes of individual files, rounded up to the next multiple of 4K, and you've got the PHP source code for the Silk Road stored there, it's game over. The same goes for filesystem encryption, like the kind ZFS (I think) has.

(I'm not personally familiar with ZFS, but the ZFS docs, especially https://docs.oracle.com/cd/E26502_01/html/E29007/gkkih.html#... really creep me with regard to this. The last thing you'd want is blocks in your local encrypted copy of PHP source code to be compressed first. And so then you'd think you'd want encryption enabled on a pool, but from reading the docs it seems that feature merely makes the filesystems on that pool inherit that encryption option, instead of doing some sort of filesystem-blind block-level encryption, where there's any variance in the encryption of blocks, or any information that could be derived from locations of blocks. So I think the suggestion to encrypt on a directory-by-directory basis to limit your exposure is not a very good one. I'd recommend that you use a spinning hard drive, whole disk encryption of the sort we have today, take out the battery, and keep your foot by the power outlet.)

jaryd10y ago

If the laptop turned off and the drive was encrypted by what basic method could they extrapolate the same information as if the computer was decrypted and powered on? Are you referring to some kind of memory attack? Wouldn't they need to be prepared to do that kind of forensic work in the extremely near term (or have some equipment on-hand to preserve the memory at least)? I'm pretty uninformed in this area and would appreciate a lesson.

1 more reply

MichaelGG10y ago

Why would the LEOs unplug the device? They'd use one of those power transfer gadgets to cutover to battery and keep it running. Same as with desktops and servers. They can just grab him, not necessarily the device.

jaryd10y ago

The idea is that typically people expect a laptop to remain powered when the cord is unplugged (due to the battery), and so in a situation where the laptop is grabbed the power is cut immediately (and unexpectedly) and the hard-drive is no longer decrypted. As another commenter pointed out, a forensics team could then probably grab whatever they needed from the system memory (presuming they acted fast enough), but as I understand it the problem becomes significantly more complicated.

SamReidHughes10y ago

Well, if you want to be ready to quick-twitch turn off the device, pulling a power cord is usually a lot simpler than removing the battery.

j / k navigate · click thread line to collapse

0 comments

unavoidable10y ago

In any event, Ross was running something somewhat more illicit than Megaupload. His opsec probably should have been commensurately better.

jaryd10y ago

mburns10y ago

Even then, the FBI grabbed him with his laptop logged into the management interface for Silk Road... So he still would have been in some hot water.

SamReidHughes10y ago

jaryd10y ago

1 more reply

MichaelGG10y ago

jaryd10y ago

SamReidHughes10y ago

Well, if you want to be ready to quick-twitch turn off the device, pulling a power cord is usually a lot simpler than removing the battery.

j / k navigate · click thread line to collapse