Mark Dalby

A mortgage fraud case has turned into a battle over the Fifth Amendment as the Department of Justice argued that the government can force individuals to disclose their encryption pass phrases.

Ramona Camelia Fricosu and her husband, Scott Anthony Whatcott, were indicted last year for scamming Colorado Springs residents facing foreclosure. After the FBI obtained search warrants and seized Fricosu’s laptop, agents discovered they could not view the contents because the laptop drive was encrypted. As a result, the FBI asked a Colorado federal district court on May 6 to compel Fricosu to enter her password, arguing that the contents of the drive were included under the warrants.

The government doesn’t need the passphrase itself and said Fricosu can just type it in to decrypt the drive without anyone finding out her code. Prosecutors have likened the encryption key in this case to a physical key used on a safe, arguing that a warrant would require defendants to hand over the key to open the safe.

People imagine that sophisticated hacking requires sophisticated computers. The truth is that almost everything a hacker does can be done with a cheap notebook computer, or even a mobile phone.

The major exception is password cracking, and related crypto tasks like bitcoin mining and certificate forgery. In these cases, a minor investment in hardware can be warranted.

In particular, those who need to crack passwords (pen-testers, sysadmins, hackers) should buy a gaming graphics card in order to speed up cracking. Or, when buying notebooks for pen-testing, they should choose those with graphics processors.

This morning a post on Pastebin outlined a serious security issue that was spotted at Dropbox: for a brief period of time, the service allowed users to log into accounts using any password. In other words, you could log into someone’s account simply by typing in their email address. Given that many people entrust Dropbox with important data (one of the service’s selling points is its security), that’s a really big deal.

We’ve now confirmed with Dropbox that the service did have this issue yesterday — Dropbox says that it began after a code push at 1:54 PM PDT and was fixed at 5:46 PM PDT (they had the fix live five minutes after they discovered it). So, in total, the bug was live for around four hours.

The question now is how many people were affected. The company will be announcing that “much less than 1 percent” of users logged in during this time, and that all sessions have now been logged out as a security precaution. The team is now investigating if any accounts were improperly accessed, and says that anyone who was impacted will be notified.