Cryptographic Lock Baffles the FBI


Cryptography: The art of writing or solving codes.

Daniel Dantas: A Brazilian banker whose arrested in 2008 for attempting to bribe a police officer. He is also suspected of money laundering, embezzlement and other financial crimes. More importantly, he has managed to fool not only the South American authorities with his cryptographic locks on his numerous hard drives, but also the FBI.

That’s right — since July 2008, when Dantas was arrested, the FBI and officials throughout South America have tried fruitlessly to decrypt files held on the banker’s hardware (a story I first saw this morning on the Schneier on Security blog).

As The Register, a UK-based newspaper, states:

The files were encrypted using Truecrypt and an unnamed algorithm, reportedly based on the 256-bit AES standard. In the UK, Dantas would be compelled to reveal his passphrase under threat of imprisonment, but no such law exists in Brazil. The Brazilian National Institute of Criminology (INC) tried for five months to obtain access to the encrypted data without success before turning over the job to code-breakers at the FBI in early 2009. US computer specialists also drew a blank even after 12 months of efforts to crack the code.

A full year of diligent work from highly-intelligent code breakers and still nothing? Dantas seems to have chosen the right encryption software and password. We’ve seen that choosing a secure password, though very important, seems difficult for many to do. In an article we ran back in April entitled “The Real Enemy,” we highlighted the ignorance of many password-choosers.

Back in 1990, a Unix password study revealed that the most popular password was “12345.” Today, even with the proliferation of hacking and data security warnings, the most popular password, chosen by 320,000 of all users on RockYou [a web app company], was “123456”-an entire digit longer. This was followed by the 1990 favorite “12345” and then, creatively enough, “123456789” and “password.” About 20% of the people on the site picked from a relatively small pool of only 5,000 passwords. According to the data security firm Imperva, these poor passwords mean that “with only minimal effort, a hacker can gain access to one new account every second or 1,000 accounts every 17 minutes.”

It’s 2010 and it seems only Dantas and a handful of others are successful at securely encrypting their sensitive data. What can we learn from this? Choose better passwords, engage encryption software if necessary — and the FBI isn’t as smart as we think.

The Supreme Court’s Sarbanes-Oxley Ruling in Plain English

If you’re like me, you’re not that smart. And when you read complicated articles like this New York Times breakdown of Monday’s Supreme Court decision involving Sarbanes-Oxley, your head starts to hurt a little. Wait? What exactly happened? Will this change anything for companies?

Fortunately, Anand Rao, partner at Diamond Management & Technology Consultants, is an expert in the history of and the controversy surrounding Sarbanes-Oxley and can clearly explain exactly what you need to know about the Supreme Court’s ruling.

supreme court

Jared: What was the main controversy about Sarbanes-Oxley that the Supreme Court was ruling on?

Rao: Sarbanes-Oxley was passed in 2002 as a response to some of the accounting issues related to Enron and Worldcom. The law created the Public Company Accounting Oversight Board (PCAOB) to regulate the accounting industry. The five board members were accounting specialists appointed by the Securities and Exchange Commission. The SEC could remove board members if there was a good cause to do so.

Free Enterprise Fund, a nonprofit advocacy group, along with a small Nevada accounting firm Beckstead and Watts challenged the creation of the PCAOB in Sarbanes Oxley, specifying that the removal of board members by the commission for just cause contravened the separation of powers in the U.S. Constitution as it gave wide-ranging executive power to board members without subjecting them to presidential control.

Jared: Why did the Court rule against this structural set-up?

Rao: With a 5-4 majority ruling, the Supreme Court declared that the act “not only protects Board members from removal except for good cause, but withdraws from the President any decision on whether that good cause exists.” It claimed that “by granting the Board executive power without the Executive’s oversight, this Act subverts the President’s ability to ensure that the laws are faithfully executed.” To remedy this situation the Supreme Court has ruled that the SEC now may remove the Board members at will, without the need to demonstrate a good cause.

However, the Supreme Court made it very clear that this had no bearing on the remaining aspects of the Sarbanes Oxley Act by stating that the “unconstitutional tenure provisions are severable from the remainder of the statue.” So for all practical purposes, there will be no change to the way PCAOB operates.

Jared: Will the change have any effect on companies? How about risk and compliance employees? Insurance companies?

Rao: Although the Supreme Court ruling impacts how board members may be removed, it has no impact on what public companies need to do. All public companies will continue to be subject to the same requirements as before under the Sarbanes Oxley Act and there will be no change to the operational functioning of the public companies. Similarly, there will be no impact to risk and compliance employees or insurance companies – it’s just a re-validation that the act is here to stay.

Safety, Economics and Rap

As someone who actually listens to hip hop regularly, it is usually painful to see PSAs, commercials or really any organizational attempt to use rap as a method to appeal to the younger generations. The whole presentation and execution is usually just really, really poorly done and ends up just embarrassing the creators and, ironically, making them look old and out of touch in the process.

But once in a while, I actually come across a decent one — like this “Safety Rap” made by Dominion Virginia Power that I just found at the Risk and Safety Blog. The beat is very Dr. Dre and the hook is sort of catchy. Nice job.

This economic theory battle rap featuring the lyrical stylings of John Maynard Keynes and F. A. Hayekand F. A. Hayek is pretty good, too. Hayek can actually flow. Who knew?

The Pitfalls of Certificates of Insurance

In tough times, finding new ways to cut your insurance costs are important. But sometimes savings go hand in hand with risks. In the latest online-only article from Risk Management, Dr. William Warfel, professor of insurance and risk management at Indiana State University and Dr. Stanley Adamson, the Baker Chair of Insurance at Missouri State University, discuss the perils of overreliance on certificates of insurance.

Shifting the responsibility to procure insurance coverage to a business partner is a useful strategy for reducing insurance costs, but it is not without risk. Relying solely on the resulting certificate of insurance can be problematic. If commercial property/casualty insurance coverage is not in place as anticipated, or otherwise fails to respond as anticipated to a loss because of an unknown coverage limitation, the firm may find itself unexpectedly underinsured.

For more information on an often-overlooked insurance tool, be sure to read their article exclusively at