50 characters ? (was RE: Man jailed over computer password refusal

John Wilson tugwilson at gmail.com
Fri Oct 15 19:43:00 BST 2010 

On 15 October 2010 18:42, Nicholas Bohm <nbohm at ernest.net> wrote:
>  On 15/10/2010 16:52, John Wilson wrote:
>> On 15 October 2010 16:43, Nicholas Bohm <nbohm at ernest.net> wrote:
>>> Leo Marks also noted the benefits of keeping secret information recorded on
>>> easily destructible media (e.g. silk).  Adopting his procedures, and citing
>>> his work, might have helped Mr Drage present a more convincing account.
>>
>> If I read the specs right this http://yubico.com/home/index/ allows
>> have and use a password that you need never know and which can be
>> easily destroyed (http://www.yubico.com/developers/static/ seems to
>> say that if you press the button for 10 seconds the password is
>> replaced by another random one.). The mere possession of one of these
>> devices would seem to allow you to plausibly clam that you cannot
>> comply with the request to disclose the password.
>
> Maybe, but it's quite likely to be found and seized when the computer is
> seized, and the time to destroy your password is after the computer is
> seized but before you are served with a s49 notice.  I would think a
> discreet piece of paper (e.g. a cigarette paper) might much more easily
> be missed on a search - perhaps slipped in the binding of a book, etc.


I wasn't really thinking of using it to hold the password. I'm
assuming that I'm using one I can remember without writing it down.

How about:

I buy a YubiKey making sure that I use my normal credit card and the
email's involved in the purchase are archived in my Gmail account.

I destroy and safely dispose of my YubiKey

I ensure that any system logs which record things like USB keyboard
connections are regularly truncated.

When the Police arrive I ensure that they can find and take all my
electronic junk (a couple a vans worth in my case).

When served with the RIPA notice I as "I use a YubiKey, I don't know
what the password is because it was generated by the token and you
took it away in one of the boxes"

I can prove I bought it, if the Police have lost it it's really not my fault.

John Wilson

More information about the ukcrypto mailing list