50 characters ? (was RE: Man jailed over computer password refusal

Nicholas Bohm nbohm at ernest.net
Sat Oct 16 08:14:15 BST 2010 

 On 15/10/2010 19:43, John Wilson wrote:
> On 15 October 2010 18:42, Nicholas Bohm <nbohm at ernest.net> wrote:
>>  On 15/10/2010 16:52, John Wilson wrote:
>>> On 15 October 2010 16:43, Nicholas Bohm <nbohm at ernest.net> wrote:
>>>> Leo Marks also noted the benefits of keeping secret information recorded on
>>>> easily destructible media (e.g. silk).  Adopting his procedures, and citing
>>>> his work, might have helped Mr Drage present a more convincing account.
>>> If I read the specs right this http://yubico.com/home/index/ allows
>>> have and use a password that you need never know and which can be
>>> easily destroyed (http://www.yubico.com/developers/static/ seems to
>>> say that if you press the button for 10 seconds the password is
>>> replaced by another random one.). The mere possession of one of these
>>> devices would seem to allow you to plausibly clam that you cannot
>>> comply with the request to disclose the password.
>> Maybe, but it's quite likely to be found and seized when the computer is
>> seized, and the time to destroy your password is after the computer is
>> seized but before you are served with a s49 notice.  I would think a
>> discreet piece of paper (e.g. a cigarette paper) might much more easily
>> be missed on a search - perhaps slipped in the binding of a book, etc.
>
> I wasn't really thinking of using it to hold the password. I'm
> assuming that I'm using one I can remember without writing it down.
>
> How about:
>
> I buy a YubiKey making sure that I use my normal credit card and the
> email's involved in the purchase are archived in my Gmail account.
>
> I destroy and safely dispose of my YubiKey
>
> I ensure that any system logs which record things like USB keyboard
> connections are regularly truncated.
>
> When the Police arrive I ensure that they can find and take all my
> electronic junk (a couple a vans worth in my case).
>
> When served with the RIPA notice I as "I use a YubiKey, I don't know
> what the password is because it was generated by the token and you
> took it away in one of the boxes"
>
> I can prove I bought it, if the Police have lost it it's really not my fault.

Nice scenario, but not everyone knows how to "ensure that any system
logs which record things like USB keyboard connections are regularly
truncated." (I don't, for one.) And not everyone has such a haystack of
electronic gear as to make loss of the Yubikey needle plausible.

With a key written on a cigarette paper, you can play the game either
way:  either "It was on my desk when you searched, I haven't seen it
since, so you must have lost or destroyed it by accident" or "It was in
the binding of my copy of 'A Midsummer Ramble in the Dolomites' by
Amelia Edwards, and your search missed it.  As you had my computer, I
destroyed it after you left."

The second variant could be buttressed by evidence from an unimpeachable
witness who saw the paper with a very long and unrememberable password
on it and saw it destroyed.  The first variant is perhaps more plausible
as an account of how we amateurs really do things with written records
of passwords.

Nicholas
-- 
Contact and PGP key here <http://www.ernest.net/contact/index.htm>

More information about the ukcrypto mailing list