This article is very interesting for two reasons. The first is:
A group led by a Princeton University computer security researcher has developed a simple method to steal encrypted information stored on computer hard disks.
The technique, which could undermine security software protecting critical data on computers, is as easy as chilling a computer memory chip with a blast of frigid air from a can of dust remover. Encryption software is widely used by companies and government agencies, notably in portable computers that are especially susceptible to theft.
The development, which was described on the group’s Web site Thursday, could also have implications for the protection of encrypted personal data from prosecutors.
The move, which cannot be carried out remotely, exploits a little-known vulnerability of the dynamic random access, or DRAM, chip. Those chips temporarily hold data, including the keys to modern data-scrambling algorithms. When the computer’s electrical power is shut off, the data, including the keys, is supposed to disappear.
In a technical paper that was published Thursday on the Web site of Princeton’s Center for Information Technology Policy, the group demonstrated that standard memory chips actually retain their data for seconds or even minutes after power is cut off.
When the chips were chilled using an inexpensive can of air, the data was frozen in place, permitting the researchers to easily read the keys — long strings of ones and zeros — out of the chip’s memory.
“Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power,” Edward W. Felten, a Princeton computer scientist, wrote in a Web posting. “Just put the chips back into a machine and you can read out their contents.”
That’s cool enough, but this is just as cool:
The issue of protecting information with disk encryption technology became prominent recently in a criminal case involving a Canadian citizen who late in 2006 was stopped by United States customs agents who said they had found child pornography on his computer.
When the agents tried to examine the machine later, they discovered that the data was protected by encryption. The suspect has refused to divulge his password. A federal agent testified in court that the only way to determine the password otherwise would be with a password guessing program, which could take years.
A federal magistrate ruled recently that forcing the suspect to disclose the password would be unconstitutional.
Not that a child pornographer may be able to get away with his crime but that you can password protect your data and the government can’t force you to potentially incriminate yourself.