
Accused British hacker, wanted for crimes in US, won’t give up crypto keys - jgrahamc
http://arstechnica.com/tech-policy/2015/02/accused-british-hacker-wanted-for-crimes-in-us-wont-give-up-crypto-keys/
======
pjc50
They could use the RIPA powers to compel decryption, but they haven't,
possibly because of the extradition context.

In which case I think this is just covered by PACE:
[https://www.gov.uk/police-and-criminal-evidence-
act-1984-pac...](https://www.gov.uk/police-and-criminal-evidence-
act-1984-pace-codes-of-practice) ; but that allows items to be retained so
long as an investigation is ongoing. Which would be until the US give up
trying to extradite him. Given the Gary McKinnon fiasco, that's about a decade
and the intervention of several Home Secretaries.

~~~
topynate
> They could use the RIPA powers to compel decryption, but they haven't,
> possibly because of the extradition context.

We don't actually know that with certainty. The Act contains a provision
whereby someone can be forbidden from revealing that he's received an order to
disclose an encryption key.

------
tedunangst
I know in theory you can do so, but representing yourself is often code for "I
was unable to find a lawyer willing to agree with my crazy legal theory".
Dropping phrases like "convert chattel" makes me think that's even more
likely, because even lawyers don't talk to the press like that.

~~~
hurin
Modern law is effectively a cartel. There is no reason that an educated,
intelligent man shouldn't be able to represent himself in most cases with fair
preparation - so the bulk of modern law consists of creating obscure
procedures and technicalities to make the former especially difficult, thus
allowing the elite and privileged class to have an all-together different
experience and preferable outcomes within the law which is only theoretically
supposed to be applied in equal measure to all.

~~~
s_q_b
A fair justice system is by necessity complex, and a complex system
necessarily requires guidance from an expert.

~~~
hurin
What does it mean to be an _expert_? The cartel-aspect is that it's _not good
enough_ to know the relevant law (it's not any harder to read legal documents
than manuals) or to be able to emphasize it's relevance and logical coherence
relative to the case.

This is precisely the kind of mystical nonsense notion that I was referring
to. In their view a qualified defense must be made by a lawyer precisely for
the sake of it being made by a lawyer, and for preserving the power-structure
of the institution.

~~~
s_q_b
No. A qualified defense must be made by someone with requisite legal
knowledge, and while not everyone with that knowledge must necessarily be an
attorney, of course the courts use a law degree and the bar exam as
heuristics.

The simple fact that you think legal documents are no more difficult to
understand than manuals is a perfect example of how woefully unprepared for
the legal arena certain members of the general public are.

It takes a _long time_ to learn statutory law, case law, common law,
constitutional law, regulatory law, and their interconnections about even a
_single subject_ , and it is assumed throughout that you will have knowledge
of legal concepts that aren't contained in those documents.

Is it possible to represent yourself and win? Yes. If you really know the law
that well, you won't have a problem, even pro se.

The issue is that many pro se litigants are like you.

They hubristically believe the law is like an IKEA instruction booklet,
advance wildly incorrect theories due to lack of foundational knowledge, end
up wasting vast amounts of the court's time at taxpayer expense, and then
bitterly complain that the judge didn't follow the law when they lose.

~~~
hurin
> The issue is that many pro se litigants are like you...hubristically
> believe...advance wildly incorrect theories

Thank you for the ad-hominem attacks. Usually these come when the interlocutor
has little left to say of merit.

> A qualified defense must be made by someone with requisite legal knowledge.

And the key part of this statement is the _mystical belief_ that _requisite
legal knowledge_ is something intangible to the case and which defies normal
logic. So you'll accept a guy working in a patent office solving a difficult
problem in physics, but heaven forbid he should feel qualified to represent
himself in court.

>it is assumed throughout that you will have knowledge of legal concepts that
aren't contained in those documents.

More mysticism?

You would be surprised how many lawyers I've talked to that would have failed
out of a first semester course on formal logic.

>advance wildly incorrect theories due to lack of foundational knowledge, end
up wasting vast amounts of the court's time at taxpayer expense, and then
bitterly complain that the judge didn't follow the law when they lose

Actually I have had the occasion to defend myself in court. For what it's
worth it took me three court appearances, because the prosecutor was
completely oblivious to how groundless the case was; thus happily wasting
three days of my economic productivity (which cost more than the fine would
have) as well as tax payer money.

~~~
nmrm2
> So you'll accept a guy working in a patent office solving a difficult
> problem in physics, but heaven forbid he should feel qualified to represent
> himself in court.

Citing Einstein as a prototypical example is somehow conceding the parent's
point, don't you think?

> You would be surprised how many lawyers I've talked to that would have
> failed out of a first semester course on formal logic.

This I can believe; but then, law has very little to do with formal systems
and the sort of informal "logic" used in legal reasoning is absolutely
uninformed by anything but the first week or so of a standard intro to
mathematical logic course (most legal theory/systems pre-date the advent of
modern logic in the late 19th century).

~~~
hurin
> Citing Einstein as a prototypical example is somehow conceding the parent's
> point, don't you think?

I'm not citing Einstein as a prototypical example by any means, but I'm citing
the _idea_ about how we verify knowledge in a subject.

If a guy from a Burger King comes and says, hey I've got a result in
theoretical physics, or hey hire me as a developer - we have a method to
_verify_ whether they can do those things in a practical way and this
shouldn't require platitudes about _complexity_ and _history of jurisprudence_
etc. (or the equivalent for those fields).

>This I can believe; but then, law has very little to do with formal systems
and the sort of informal "logic" used in legal reasoning is absolutely
uninformed by anything but the first week or so of a standard intro to
mathematical logic course (most legal theory/systems pre-date the advent of
modern logic in the late 19th century).

Formal logic logic as far as reasoning about non-mathematical subjects is
probably not that far from where it was in Aristotle's days. I don't know
about the actual application of law - indeed your average jury may very well
be swayed (I'll quote from yesterday):

 _" Ladies and gentlemen of the jury. We will show you how the defendant used
the notorious hacker tool known as 'strings' to facilitate his vendetta
against Lenovo."_

But that a Jury would be swayed by something like that and that it's the
business of prosecution to make such arguments (hypothetically) is I think
precisely in support of my point about the law.

On the other hand the authors considered to be authorities Jurisprudence are,
I think, _very well_ informed in formal logic.

~~~
nmrm2
> we have a method to verify whether they can do those things in a practical
> way and this shouldn't require platitudes about complexity and history of
> jurisprudence etc.

The author explicitly stated it's _not_ impossible to represent yourself
adequately, it's just very rarely done well.

Your theory about how judges should act only makes sense if evaluating
arguments is free. But evaluating arguments -- especially unconventional ones
-- is _really_ expensive!

There is significant cost associated with evaluating an "out there" legal
theory (in terms of research, opinion writing, etc.); it's entirely reasonable
for judges to not invest public time/money into a point-by-point analysis of
an unorthodox legal theory, especially if that theory comes from someone
without formal training.

Most professionals know that certain non-professionals _are_ capable of doing
their jobs, but also know that in the general case hubris is far more common
than untrained competence.

The parent's point was essentially this -- it's not impossible to represent
yourself, but it's much harder than most people realize. Most judges aren't
willing to invest the time necessary to investigate/help articulate apparently
crazy legal theories, and that's both rational and justified. Explaining
point-by-point why a crazy legal theory is crazy is not a good use of public
time and money.

> Formal logic logic as far as reasoning about non-mathematical subjects is
> probably not that far from where it was in Aristotle's days.

That's my point -- typically "formal logic" means exactly deductions in/about
formal systems. Wikipedia _redirects_ "formal logic" to "mathematical logic".

Law has no formal logic, and (edit: a lot of) what's taught in law school pre-
dates the advent of formal logic (late 1800s) by a hundred years.

The ability to prove soundness or completeness or first order logic (the sort
of thing I would expect to appear in an introduction to formal logic course)
is really completely irrelevant to the practice of law.

> the authors considered to be authorities Jurisprudence are, I think, very
> well informed in formal logic

This is simply not true, or else you have an uncommon definition of "formal
logic".

------
joncp
After your equipment has been in the hands of a government, wouldn't it be
wise to simply abandon that hardware? Who knows what kind of crap they've
installed on it that is nearly impossible to remove.

~~~
SnacksOnAPlane
You can likely just get the raw data from your drives without actually keeping
anything executable. Text files and images are fine, but I'm sure there are
some formats that you'd have to be extra-careful about.

~~~
ncza
Text and images can easily be tampered with to exploit. In fact, that's a
common malware vector. If you have reason to not trust your files, then it's
fairly black and white.

~~~
biafra
That is why you need to make sure you do not give them your decryption
password for your file container. And hope they were not able to compromise
your encrypted container in such a way.

------
RexRollman
I know it hasn't been requested yet but I find it interesting that the US
could seek extradition of a suspect for hacking into their systems while
facing no repercusions for doing the same to Gemalto.

------
shitlord
Was this guy affiliated with HTP? They were notorious for the ColdFusion
exploit, for hacking Linode, and for hacking DARPA (or something like that).

Edit: Some Googling turned up a pastebin result [1]. Also relevant are [2] and
[3].

[1]: [http://pastebin.com/d0ni33Hx](http://pastebin.com/d0ni33Hx)

[2]:
[http://krebsonsecurity.com/tag/zeekill/](http://krebsonsecurity.com/tag/zeekill/)

[3]:
[https://encyclopediadramatica.se/Zeekill](https://encyclopediadramatica.se/Zeekill)

~~~
ryanlol
Lauri wasn't involved with HTP, he was involved with a HTP member that gave
him the CF exploit he used.

------
smtddr
Some advice for the accused; not that I condone your actions _(based on the
article, you seem guilty)_ but if you get the devices back you should probably
assumed they've been compromised. You should just destroy them complelety. Or
maybe investigate and document any tampering. But please don't login to any
sensitive accounts on them. Don't decrypt the files on those devices either.
Mount the filesystems and copy the files to a known trustworthy device.

~~~
pavel_lishin
> _Mount the filesystems and copy the files to a known trustworthy device._

At this point, can we even be certain that that's safe? If the hard drives
themselves have been compromised, what's to prevent them from copying out
arbitrary data?

~~~
bigiain
I guess it depends on value (to him) of retrieving the data and the
sophistication of your adversary (and if his reported/alleged boasting on irc
is to be believed, and collusion/cooperation between the UK's NCA and the US,
you'd need to assume the most sophisticated of adversaries is a distinct
possibility).

It's too late to keep encrypted copies of the data out of his adversary's
hands - they'll have imaged everything as their first step - so presumably
he's either doing this because there's data there he wants, or he's just being
a pain in the ass over a few hundred bucks (or pounds) worth of hardware (and
more power to him if that's what's really gong on!).

If _I_ needed data off those drives, I'd get a "burner" computer that's not
connected to the internet or any sort of local network, plug the drives into
that and decrypt them, then get those files off the machine in the least
technical way possible - transcribe them by hand, take photos of the screen,
print to a usb connected (burner) printer, if the data is too big for those
sort of options (or binary blobs) I'd use a serial port connection to a second
trusted machine.

Then I'd melt down the drives and the burner machine.

But mostly, I'd avoid becoming a target of the NSA's attention in the first
place - if I were him I'd be suspicious of any hardware known or suspected by
the NSA to be used by him ever. I'd assume supply chain exploitation of any
new hardware with deeply embedded firmware/hardware layer exploits. I'd only
ever use (for "private" purposes) 2nd hand hardware bought for cash from
strangers... If you can get "targeted" for surveillance and exploitation just
for occasionally using PGP and working at the wrong company (like the Gemalto
guy from Thailand), how much scrutiny would you have to expect to live under
if the US military thought you'd rooted their internal networks?

Glad I'm not him...

~~~
bigiain
And, in a late update:

[http://www.wired.com/2015/02/nsa-firmware-
hacking/](http://www.wired.com/2015/02/nsa-firmware-hacking/)

I don't know if he's considered worth this much to "the authorities", but
how'd you like _that_ done to your disks?

(If I'm reading that right, by non network connected burner machine would
_probably_ be safe against that, but it's clearly half decade old NSA tech.
Assuming their capability hasn't improve beyond that is ... foolish...)

------
pavel_lishin
> _He exploited similar types of vulnerabilities in sites that used
> ColdFusion, the Web application software whose full source code was recently
> found on a server operated by hackers._

I have no idea why, but I always assumed that the ColdFusion source was as
freely available as Apache's or PHP's.

~~~
bigiain
I'd guess that the source for Cold Fusion is probably fairly well secured by
Adobe, and was never available on any of the exploited servers, the same way
that very few webservers actually have the Apache or PHP _source_ code lying
around, just the complied binaries. What was probably found on "a server
operated by hackers" would have been the web-app written to run on Cold
Fusion, so in your analogy it's more like they exfiltrated the WordPress php
source files.

(assuming, perhaps foolishly, that a logical interpretation exists for the
hints dropped by a journalist who either doesn't fully understand, or who
strove to lower his wordcount as a higher priority that technical accuracy...)

------
aburan28
They will decrypt it in time

