Child porn defendant locked up after ZIP file encryption broken

Government investigators were able to easily break the ZIP file encryption that a Texas man allegedly used to conceal illegal images, a recent court case shows.

The investigation of John Craig Zimmerman began when his employer, the Brownsville Fire Department, received an anonymous voice message in February 2007 alleging that Zimmerman was a pedophile and had child pornography on his department-owned work computer. A city programmer named Albert Castillo searched Zimmerman's computer and found adult pornography (technically a violation of department policy but not a crime) on an external hard drive.

What Castillo also found were some password-protected ZIP files titled "Cindy 5." Castillo apparently used a program called Zipkey 5.5 to brute-force at least some of the password-protected files and find images of a partly naked minor.

Homeland Security's Immigration and Customs Enforcement agents were called in, and volunteered that they had information from a previous investigation showing that Zimmerman previously bought a membership on a child porn Web site. (Left unanswered is why, if that was in fact the case, ICE never did anything about it.)

What happened next: Zimmermann's home was raided with a search warrant, additional images he allegedly took himself were found, he was indicted on counts of receiving and possessing child pornography, and he pleaded no contest except to say that the images had nothing to do with interstate commerce. In an opinion dated December 20, U.S. District Judge Andrew Hanen said there was a "rational basis" to assume that child pornography transmissions related to interstate commerce.

I mention this case not to show that there's something remarkable about decrypting one of the older ZIP archives: the symmetric encryption algorithm used has long been known to be anything but secure. Newer WinZip archives, starting with WinZip 9.0, use more secure 128- and 256-bit key AES encryption.

The reason I'm mentioning this case is to argue that as encryption becomes more widespread--it's part of OS X and Vista, after all--police will encounter it more frequently, and not just in cases involving illegal images. And not all encrypted files will be as easy to brute-force. Which means that the outcome of the Boucher case becomes more important than ever.

[mitchhellman]

Don't look now, but...

... the link in the article to Zipkey 5.5 actually links to a different product with the same name-- one that is a city-level directory of 5-digit United States zipcodes and 3-digit telephone area codes and seemingly nothing to do with Zip files at all.

[declan00]

whoops!

Our mistake. It has been fixed.

[Astinsan]

Breaking Encryption isn't a good idea sometimes.

Some encryption systems have tripwires and fail safes for brute force attacks. I wouldn't recommend a brute force attack to break a password on some setups. Unless you can read only the drive on a unix like system.

The guy who was caught... He should of got PGP. Zip passwords have never been safe. Guess he thinks like a child too.

To all those who like employment. Never Ever Ever use a company computer to do personal stuff. Surf porn at home.

Then there is the Identity theft issue:
Most companies Lease equipment. Sometimes you aren't told when computers are being switched out. You could have banking information, passwords..etc.

I have purchased off lease systems and found so much private information on them. Email, Passwords, DOB, Tax Forms.. you name it.

[john55440]

PKWARE SecureZip

The default of PKWARE SecureZip for Windows (currently free) is AES 256-bit with strong passphrase.

(It can also do unencrypted Zips.)

The next time my computer breaks, the repair techs won't be able to read my financial records.

[ReyBrujo]

Better systems already available

You have, for example, TrueCrypt (http://www.truecrypt.org/). It basically creates a huge file which is used as an encrypted hard drive, and then disguises it in the hard drive. You can also have a two level protection: you have a password to unlock a file, and another to unlock a second. Fill the first one with common stuff, legal papers, etc, and the algorithm makes sure nobody can recognize you have another virtual hard disk hidden there.

[Penguinisto]

One nitpick.

If TrueCrypt exists on your system, then they'll already know [i]de facto[/i] that you're likely to have hidden files there and will go looking for them, by simple proof of having the binaries to crypt/decrypt on your hard disk.

/P

[MadLyb]

I can't believe...

...that people are posting suggestions on how a pedophile could have prevented access to evidence to convict.

How about a little perspective?!

[Penguinisto]

Agreed.

A smart criminal (of any type) will already have done the research.

On the other hand, a lot of these 'suggestions' are ludicrous and IMHO silly. Take TrueCrypt for instance. If the computer forensics guys find the executables to run that on your machine, then obviously you're likely to have a TrueCrypt partition/file lurking on the machine, and it won't take long to find out where it is. I don't care how many times you try to nest it, a good hard scan can and will find the parts they need.

It doesn't guarantee that the encryption can be broken, but most DA's are smart enough to know that during an investigation, you either set up a dummy site to draw the idiots in, or you find other means by which to prove guilt, so it won't matter if your entire hard disk were encrypted with 4096-bit SHA-1 and a 254-character long passphrase... you'd still be found guilty from all the other evidence.

/P

[Penguinisto]

Sucks to be him...

Seriously - if it were actual kiddie porn, and he was trying to encrypt it, then it sucks to be him when they pop the encryption.

IMHO, no one should be legally forced to give up their encryption keys/passwords/etc for any reason (in the US due to Privacy rights, Fifth Amendment, etc). OTOH, if there's a warrant and the encryption gets popped, then that's the defendant's problem.

There are a ton of ways the guy could still get out of it (proof of identity theft, hijacked computer, etc), but encryption? Nope - it's fair game if the forensics guys can break it.

/P

[The_Decider]

I agree

He gets what he deserves.

Although I wonder if he is going to sue them for violating the DCMA? :)~

[wshawn]

I wonder where the line is drawn...

I know of a local medical doctor who purchased a computer off of EBay for home use. Due to his work hours he had it shipped to his office. The computer remained unopened and unused. Just a few days later the state and local law enforcement had him in cuffs for purchasing a computer from a individual / company who had just been shut down for using Ebay to send out massive amounts of child pornography on a hidden partition.

The Doctor is still incarcerated years later after being forced to plea bargain due to them freezing his assets. He will never practice medicine or see the light of day as a free man for a VERY long time.

Seems the elected officials were more interested in looking good in the press than doing their jobs.

My advise: DBAN all systems/drives when getting them and before actual usage.

It is a long documented fact that the FBI and other US agencies have asked for back doors into encryption schemes.

The single best option you have is to use open source technologies not centered in the US if you want real privacy.

The real problem I see here is that in order for a few to be caught the many are being placed in a position where we have no real privacy.

A perfect illustration of this is Vista and the mentality MS has that they can choose how you use your computer and what data they deem fit.

Anyone ever wonder how they get the information to make that choice?

If the guy is messing with kids, lock him up. The article states the file was found in his external drive.

In some areas, external drives do not have the same privilege as regular drives (inside a system) if they are left in the open.

When they cracked his password it would probably indicate him as the culprit as most people are stupid and lazy and pick passwords relating directly to them.

The original file will also have tags inside the header pointing the originator, which of course may be him also.

If the guy was stupid and let someone else borrow his drive then it really does suck to be him.

We work on a lot of client systems and some of that involves pulling their data, intact, to our server, and then placing it back on the system later.

We have a policy of placing that data in a directory structure matching the name and invoice number.

We also have a 6 month DBAN policy on every drive.

dban.sourceforge.net

[mikalg]

Difficult to believe...

I do not know of the case you refer to, however I find it dubious in the extreme. I can not imagine a prosecutor's office perusing a case based upon the facts you have given, let alone a jury conviction of same. Clearly, prosecution presented facts within the courtroom that damned this "poor doctor" to a significant sentence that we/I do not have access to from your post. I hesitate to provide possible reasons/facts for this case without information about the case itself, however "good faith" purchase rules (of even stolen property) protect citizens from prosecution when they meet the criteria. I would assume some prior knowledge of the "content" by the doctor based upon a conviction of this nature. Other than that, I cannot fathom a single reason a jury would convict. I do agree with your "protection" ideas, they do seems to be quite practical and possibly effective.

[omarnyc]

"Difficult to believe... "
QUOTE
I find it dubious in the extreme. I can not imagine a prosecutor's office perusing a case based upon the facts you have given, let alone a jury conviction of same.

*********

please refer to SLATE.com

Why Would a Virus Look at Kiddie Porn?
Malicious code that makes your computer visit illegal Web sites.
By Tony Romm
Posted Friday, June 20, 2008, at 5:13 PM ET

On Monday, a Massachusetts court dismissed child-pornography charges against Michael Fiola, a state employee. It was alleged that the 53-year-old had accessed the illegal material at work, but an extensive forensic investigation (PDF) of his computer revealed that viruses and other malicious programs?25 of them, to be exact?were the culprits. Why would someone create a virus that downloads child pornography?

So other people could secretly view the porn. Fiola's computer had been taken over remotely by "botnet" operators, who lowered its security protections and may have sold child-porn enthusiasts access to the machine. This enabled people to view illegal images and videos by storing them in Fiola's Temporary Internet Files cache, as opposed to their own computers. Fiola remained oblivious to the tampering because the bot operators made sure they didn't slow down the computer too much by consuming lots of memory.
However, not all of the porn on Fiola's computer arrived as a result of human activity. According to the forensics report, his workstation was often processing 20 to 40 pornographic Web pages per minute, a rate no human could sustain. This suggests that Fiola's computer was used as part of a larger "click fraud" scheme involving legal porn sites. Under a pay-per-click advertising arrangement, Web content providers profit whenever a user clicks an ad on their page. Unfortunately, this system isn't too hard to manipulate: An unscrupulous webmaster can hire a botnet to make infected computers click on his advertisers' links. The most lucrative click-fraud schemes are those that target the best-paying ads, many of which are pornographic. And because some bots are able to navigate the Web without first opening an Internet browser window, affected users are often oblivious to any misconduct.

[Practical_Paranoid]

I use a multilayer system. Yes it takes some time to get at my stuff, but at least it is safe from unmentionables that would use my inventions as agencies of death. i.e. army, marines, police, DHS, and others.