The Null Device

Hacking the human factor

A look at the U.S. Secret Service's tools for breaking encryption on seized data. Not surprisingly, they use a network of distributed machines to help brute-force keys. Cleverly enough, before they do so, they assemble a custom dictionary of potential keys/starting points from all data on the seized machine (including files, web browsing histories, and presumably terminology associated with the areas of interest visited web sites relate to). (via /.)
"If we've got a suspect and we know from looking at his computer that he likes motorcycle Web sites, for example, we can pull words down off of those sites and create a unique dictionary of passwords of motorcycle terms," the Secret Service's Lewis said.
Hansen recalled one case several years ago in which police in the United Kingdom used AccessData's technology to crack the encryption key of a suspect who frequently worked with horses. Using custom lists of words associated with all things equine, investigators quickly zeroed in on his password, which Hansen says was some obscure word used to describe one component of a stirrup.

This technique apparently works surprisingly well, because people (including organised criminals) tend to choose relatively predictable passwords.

The moral of this story is: if you're planning the perfect crime using computers and encryption, you may find it wise to develop an obscure interest and not mention it by electronic means. Or, for that matter, let it show up in credit card receipts, library records, personal effects, or any other information the authorities could get. Which could be trickier than it sounds.

Also on the subject of people subconsciously giving away more than they think: this IHT article on "psychological illusionist" Derren Brown (via bOING bOING):

He produces a sheet of blank paper and issues an instruction: Draw a picture. "Try to catch me out; make it a bit obscure," he orders. "Don't draw a house; don't draw a stick man." Walking to another room and out of sight, he decrees that the picture should be concealed until the end of the interview - whereupon, he claims, he will reveal what it is.
Recently, he said, he used his talents to defuse a situation in which an aggressive youth approached him on the street, yelling, "What are you looking at?" (Brown responded with a rapid series of diversionary non sequiturs, he said; the man burst into tears.)
Instructing me to concentrate, he pulls out a blank sheet of paper and begins sketching, chatting all the while. He tells me he "sees" a conical shape with spots on it - some sort of decorated lamp with a blob on top. And knock me down if he does not produce a near-exact replica of my drawing, the only differences being that his has more dots than mine, and his stripes are horizontal, not vertical.

Channel 4 has a Derren Brown microsite here, with streaming video and explanations of some of the tricks (such as making people fall asleep in phone booths). Think of it as the human equivalent of the buffer overrun attack.

There are 2 comments on "Hacking the human factor":

Posted by: steff http://ofterdingenandkropotkin.blogspot.com Wed Mar 30 02:09:41 2005

Great stuff again. But that site sux, as do the flash media on it. I don't get the analogy with the buffer overrun attack either, possibly because I gave up on the Brown site yielding any useful information.

Posted by: Graham http://grudnuk.com/ Wed Mar 30 02:18:07 2005

Irony.

Want to say something? Do so here.

Post pseudonymously

Display name:
URL:(optional)
To prove that you are not a bot, please enter the text in the image into the field below it.

Your Comment:

Please keep comments on topic and to the point. Inappropriate comments may be deleted.

Note that markup is stripped from comments; URLs will be automatically converted into links.