Slashdot Mirror
FBI Bugs Keyboard of PGP-Using Alleged Mafioso
Sacrifice writes "The Philadelphia Inquirer reports on a criminal case which will challenge the authority of courts to permit FBI agents to surreptitiously plant keystroke-monitoring bugs, which are not regulated by current federal wiretap legislation. Also, David Sobel from EPIC notes that it is now a matter of record that the FBI can, and does, conduct surreptitious entries to counter the use of encryption (see FBI application for breakin and the court order granting permission)."
I don't think you are aware of the FBI's history with repect to monitoring its citizens. An example of recent events was shown on Monday night's 60 Minutes. Two citizen's are in jail right now because of 24 hour FBI monitoring allowed by the law (when the law is misapplied). The FBI went to great lengths to misapply the law.
"notable for its lack of evidence"
"a secret court made up of anonymous judges"
"secret permission can be obtained to break in and tape conversations without Fourth Amendment guarantees"
In this example, the FBI had a court order -- a secret court order -- giving them every right to tap these guys' lives.
Your slippery slope argument of total anarchy resulting from the FBI not being allowed to invade the privacy of U.S. citiznes is ridiculous.
I am a lot more concerned about the FBI reading my personal files and deciding I'm a criminal and the consequences of that than any "mafioso", child pornographer, or terrorist. Unlike the latter group of "criminal" elements, the FBI is actually in a position of power such that it can destroy my life if the FBI so chooses.
Amendment IX
The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.
I can secure my papers against unreasonable searches and seizures. Email is just modern paper. If I send it to my brother I can secure it.
Not all rights are mentioned in the bill of rights, as the document specificly allows, which are despite not the lack of mention still retained by the people. Thus the right to private converstation, or for that matter privacy itself is still a right even if not mentioned.
The US goverment is not given right to take away those rights.
If the FBI can get a warrant to bug a specific person's keyboard, I've got no problem. It's no different from any other kind of search.
What bothers me is that the FBI doesn't seem to want to have to bother with warrants. They want to be able to just tap at will (as evidenced by previous attempts at laws to get the ability to search without a warrant), and that's just plain wrong. They've forgotten that there are more important aspects to the law than enforcing it; the law is there to protect the people from others... including law enforcement.
----------
Just a thought. Maybe it's a dumb one.
---
seumas.com
If this guy really was a Mafioso and didn't realize this kind of thing was possible the Mafia really need to hire somebody who knows the fundamentals of information security. My hourly rates are reasonable, and I'll take payment in the Cayman Islands if it suits :)
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
If you haven't done anything illegal, you have nothing to hide.
Wrong way around, if you havn't done anything illegal then the state has no business snooping in the first place.
The idea that given the power the state will only herass criminals has been proven time and time again to be nonsense. Indeed criminals are typically way down the list...
Real lesson: if you want your data protected, don't put it in a computer.
Putting a flash-based keystroke recorder into any detached keyboard would be a relatively simple matter; you get power and data directly from the cable and stash the data on the card. You could send the data to an external device using something like Bluetooth. If it was done to your keyboard, how would you detect it? Do you have seals on the case and examine them every day? I sure don't.
I think the lesson here is actually one of guarded optimism: breaking PGP is still beyond the FBI, so they have to use physical intrusion to get access to the keys. This burden makes it utterly impossible to perform fishing expeditions on encrypted e-mail or computers in general (Van Eck/Tempest monitoring notwithstanding). I feel a whole lot better about this than I do about things such as Carnivore.
"
/ \ ASCII ribbon against e-mail
\ / in HTML and M$ proprietary formats.
X
/ \
Time is Nature's way of keeping everything from happening at once... the bitch.
If the machine went down or you got disconnected without saving, you could replay the journal file to recover your edits.
The cool thing was that this worked by literally replaying your keystrokes back into the editor, so you got to see your edit session happen over again at high speed.
So I quickly found I could make zippy little ASCII animations by laboriously editing out frame after frame of the pictures in an animation and then turning the terminal off when I was done. Turn the terminal on, log in, and replay the journal! Better than animated GIFs! Kids these days... Much to the chagrin of many people who thought they had kept something a secret, Microsoft Word does this too, with its "Fast Save" - it just saves deltas of each edit, rather than the whole file each time you save. It just does the replay in memory when it opens the file, but it is possible to see the changes, not just with a low-level editor but with Word itself. From The Forum on Risks to the Public in Computers and Related Systems:
Michael D. Crawford
GoingWare Inc
-- Could you use my software consulting serv
That, plus a Linux box that can only be booted from a floppy that you have on you at all times, plus some encrypted file systems that you unmount religiously when you're not using them would be a pretty tough nut to crack.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
kitchen timer
matches
flashbulbs
batteries
kerosene
glass bottles(emptied milk or juice bottles will due)
tubing
several feet of wiring
anarchist's cookbook
(Begin Rant)Whether these things are for a science project or some nut with half a brain it is their right to WRITE IT in private without some other nut with the other half of the brain breaking the door down when a VegiOmniCarniWhateverBot starts blaring "Danger Will Robinson, Danger Will Robinson!"(End Rant)
Is this the end yet?...How 'bout now...how 'bout now...how 'bout now?
When I read stories such as this one, a saying common in the security industry immediately comes to mind:
If the "attacker" (in this case, the FBI) can obtain physical access to your system, just about any protection can be broken. Perhaps with a laptop that you keep on your person at all times, you might be able to feel secure, assuming you can trust the operating system, the laptop manufacturer, the CPU and auxillary chip production plants, and the original chip designers.
Stare too long into the abyss of paranoia, and the abyss starts to stare back...
I do not deploy Linux. Ever.
How much longer before they follow the lead of the U.K. and have the ability to imprision me for refusing to provide my cryptographic key.
Where does the 4th amendment end and the 5th amendment begin?
I do not deploy Linux. Ever.
On to my second, completely different point. There are three ways for the government to retrieve the information stored in the bug.
1. Leave it in the computer and retrieve it later with a search warrant. They did not seem to do this, although it may have been the best idea for them. One problem with this method would be if the bug detector was discovered in any way, they would have no data at all, rather than just a halt in the stream. Also, he may destroy the computer upon getting searched (a mor likely problem).
2. Broadcast it over the Internet. Not likely at all. If this guy was "computer literate" as the article says, he would be monitoring all ports into and out of his system, and would almost have to be using NT, Linux or a BSD (to support encrypted filesystems, unless he went with the whole route of no-swap (info is never stored on disk), which I'm not sure can be impleneted in windows 9x). So this would be a dumb methd, too. 3. Radio. They can send the information out over radio waves. This would allow for a stream of information that would still be evidence even if it were interrupted. The thing with this is that what kind of organized crime don does not use a bug detector?!? They are not expensive, and monitor almost all frequencies commonly used by bugs. The only way around this would be burts transmission, which the article does hint at.
To top it off, you can't think a computer is unbugged unless it never leaves your side (or the side of someone you trust; trust is as necessary in this kind of security as in encryption). Oh well, this post will never get read because it is now at the bottom of a heap of posts, and moderators never browse newest first. Blah.
"He's more machine now than man, twisted and evil."
Besides, I bet there's not one person reading this who hasn't done anything illegal. Let's forget for a moment traffic offenses and focuse on criminal ones. Did you ever smoke before you were 18? Drink before you were 21? Use an illegal drug? Sneak into a movie theatre without paying? Eat a grape in the supermarket? Commit a drive-by shooting? Did you pay for Netscape after the trial period? How about Winzip? How about winamp, before AOL made it free? Do you own any mp3s that you haven't gotten permission from the copyright owner for? Ever make a copy of a videotape without permission from the copyright owner? Did you ever use RSA for commercial purposes (such as at work) before the patent expired without paying? Did you put in your real information when you obtained a licence to use Real Player? Ever participate in a super bowl pool? Ever install a copy of software you weren't legally licensed to install (including shareware after the trial period had expired)? Have you ever mutilated a U.S. coin? Do you report all items that you've bought over the internet or in another state but not paid sales tax on your state income tax? Have you ever fudged a number on any of your income taxes?
Have you ever knowingly allowed someone to do any of these things, and therefore been guilty as a co-conspiritor?
Now, assuming that you have done at least one of these things, should you have gone to jail? On the other hand, if you haven't done any of these things, and think you've never done anything illegal in your life (including knowingly allowing others to do illegal things), I'd like to hear from you.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
lessee...
# depmod -a
# modprobe \*
[dmesg] "unknown keyboard device found - driver not loaded. continuing."
aah - thanks linux! I knew you'd save my butt someday.
--
--
"It is now safe to switch off your computer."
So ask yourself, which is more important to you, seeing mob bosses, terrorists, and child pornographers get caught before they can hurt
anybody, or protecting yourself from having some FBI bureaucrat reading over your shopping list?
I think that's kind of naive. Have you ever actually spoken to an innocent person who got f*cked over by people abusing their powers? A lot of the people doing this surveillence live in a twisted little paranoid world where they see guns in every shadow of innocent activity, and they sometimes act on these innocent things in ways that level headed people wouldn't. And if the law doesn't protect you from such violation of rights, (which it often doesn't) you can kiss your way of life goodbye.
Sure, there are more criminals having their rights abused than there are innocent parties, and we all know that criminals are, like terrorists, 2d cardboard cutouts whose sole motivation in life is to hurt us and so we should hurt them back, but every erosion of privacy is individually justifiable. The problem is that the next thing you know, you'll have bad cops raking in the $$$ selling your business secrets to your competitors, your unlisted phone number to tele-marketers, your spending details to advertising consultants, and if you try to raise a fuss, they'll deny everything, stop you dead in your tracks with National Security, and you'll be a laughing stock in your community forever for making such paranoid wacko claims.
It's an exotic threat next to having a car drive into you on your way home from work tommorow, and perhaps not as deserving of as much worry, but that doesn't mean we should just lie back and let it happen.
Abuse of power is real. Just because it hasn't happened to you doesn't mean it doesn't happen.
Of course, it's more difficult when 99 percent of the people you communicate with do not
I had that problem. And even bigger problem though was that all the cryptography programs and sites I found were aimed at advanced users who were already familiar with crypto. It was an inpenetrable wall.
Perhaps I was looking in the wrong places, but someone needs to make an ultra-dumbed down installer that could let your grandmother start using crypto. Then we'll be getting somewhere.
Why not have a PDA-sized unit with PGP installed as firmware. You could keep your key on a flash-memory card in your wallet. The unit would never need to leave your person. Enter the plaintext, the unit encrypts it, upload the encrypted message your computer.
Browser? I barely know her!
Since when is a microcontroller and a battery cutting edge? I want to know what about this keystroke recorder is so freakin' high tech that they can't even talk about it.
Now, I know that a lot of people around here are going to go off and start screaming about having your rights violated, but the fact of the matter is that the FBI had a court order here! They had every right to tap this guy's computer.
If the FBI couldn't do things like this, they'd have no power to enforce the laws of this country, we'd have total anarchy, and having someone monitor your keystrokes would be the least of your problems!
So ask yourself, which is more important to you, seeing mob bosses, terrorists, and child pornographers get caught before they can hurt anybody, or protecting yourself from having some FBI bureaucrat reading over your shopping list?
--
The most valuable commodity I know of is information. - Michael Douglas as Gordon Gekko, Wall Street
You could type "I accept suitcases full of cash in exchange for contraband" at a random and inappropriate time, and it would be logged, even though your sentiment was not reflected in any saved file or communication.
Creepy, when you think about it. How many times have I thought better of saying something in chat or email, for fear of it being interpreted the wrong way, and erased it before sending? More than a few times, anyways. If my employer or my gov't had tapped those messages at the keystroke level, I might as well have sent them the moment I typed them. Ugh.
-Isaac
I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
It seems to me that this tale shoots down the government's primary argument for trying to restrict the public's use of cryptography. Their battle cry has been "we must be given the crypto keys, otherwise we won't be able to conduct the sort of wiretaps we've gotten used to". But as this story demonstrates, they can still conduct wiretaps the same way they always have - by physically going out and tapping some wires. Bravo, FBI boys!
Research what laptop will run Linux real well.
Get some cash together and drive to a distant city and buy a laptop right off the store shelves. There won't be a chance for anyone to plant a bug in it.
Wipe the hard drive and install Linux on it. Install the Linux encrypting kernel and keep all your real files on an encrypted volume.
Install Tripwire on the machine - it verifies the integrity of important files to be sure they aren't patched.
Learn how to administrate your machine effectively. Always log in as a non-priveliged user and never become root unless you really need to.
Learn about security and tighten down your machine. If you care about security on your laptop you're not going to be running a webserver but I bet a lot of you are running both Apache and SAMBA on a standalone user machine without even knowing it. The more services that are disabled the less anyone can screw with it, even on a non-networked machine.
Don't ever let the machine leave your sight. If you have to put it away, lock it in a safe. Do something to the safe that will enable you to tell if someone's blackbagged you - something like the trick of wedging a matchstick in your door when you leave, but something more concealed. If you find the matchstick on the ground when you return, someone's opened your door.
Best of all don't use a computer for anything of real importance. You can find out why you shouldn't by reading The Forum on Risks to the Public in Computers and Related Systems for a while.
Michael D. Crawford
GoingWare Inc
-- Could you use my software consulting serv
Perhaps you hold political opinions that are unpopular with the current administration. Maybe you have your local mayor upset at you for campaigning against him last election. Maybe you are a journalist who has published stories that upset the FBI. Perhaps your ex-girlfriend has taken a job in the local field office.
Get the wrong people mad at you, and you too may find out that government agents have added some tiny components to your computer...
When the sources for your news stories are found dead from a "self inflicted" park in Washington
When you lose every project you bid on to competitors who underbid you by exactly 3%
When the conservative christian boss of your same-sex lover "somehow" gets a copy of your last mash note.
When somebody says "If you aren't guilty of any crimes, you have nothing to fear", remember it's not question of whether you are guilty of crimes against the law, it's not a question of paranoia. The question is, have you committed a crime against somebody else's god, have you done anything that somebody else wishes was against the law, is there anybody who would benefit from hrting you?
If the answer is "yes" to any of the above, then you do have something to fear from this sort of "wiretap" activity.
I do not deploy Linux. Ever.
The article missed one important point -- they were intercepting communications!. Even though it's from keyboard to computer, it's still communications over a wire (unless via a IR port). If it's software instead of a hardware unit, it is still intercepting the keyboard messages as it gets passed through the message queue (and windows). And if it was not authorized, it would be a federal crime of unathorized access to a computer.
Fight Spammers!
Of course, it's more difficult when 99 percent of the people you communicate with do not -- either because of lack of initiative, understanding or capability, use encryption and wouldn't know or care what to do with the encrypted information you send them.
---
seumas.com
I think you're serious, so here's my answer: It is more important to me to protect myself from having FBI agents (not bureaucrats, agents) reading my shopping list, my political manifestos, my notes on how to protect myself from script kiddies (proof positive that I'm a hacker, after all), and my (probably) fictional account of Dubya and Jim Baker exchanging bodily fluids (not intended for publication).
The FBI has proven that it is not above using its power for political purposes.
If the FBI were not free to violate the 4th amendment, we wouldn't have anarchy -- we'd simply have a tolerable FBI. Do you really believe they'd have (your words) no power if they had to respect the 4th amendment?
This isn't really any different than what the FBI goes through to put a tap on the telephone line. When they're going after organized crime, this sort of thing is both necessary and proper -- as long as it is governed by due process of law and nobody's privacy is needlessly invaded.
And the brethren went away edified.
Why You Should Use Encryption
In the article, I try to discuss in as approachable and as convincing a way as I can why everyone, even your mom, even your kids should use cryptography.
Michael D. Crawford
GoingWare Inc
-- Could you use my software consulting serv
It ran in only 8 kb of memory and we specifically advertised that it would capture:
- Text that was backspaced over
- Text that was typed and then highlighted and deleted
- Text that was typed and never saved
- Text that was saved but lost due to file corruption or accidental file deletion
It would save everything, even your backspace characters. You could use those to help you reconstruct your file.Last Resort Programmer's edition will save menu key equivalents to aid testing and debugging and tech support. It helps you reconstruct the sequence of events before a crash.
And yes it would capture passwords but we had the option to pause it or disable it entirely.
I wrote the Mac version but it's available also for DOS and Windows (written by other guys).
Although we tried to make it very obvious when Last Resort was installed on a machine, we get occasional email from people asking how they can make it invisible. We don't tell them, but really if you want to make a hidden keystroke recorder it's pretty trivial.
Don't just worry about the FBI doing this to you - worry about your employer or loved ones. Not long after I shipped Last Resort, one of the editors of MacUser Magazine thanked me personally for it because he'd caught his girlfriend having an online affair - her hot and heavy emails were in his keystroke file.
He later wrote a novel that talked about a lot of software products with fictional names but that were obviously taken from real products. I'm proud to say that the faux-Last Resort saved the world in his novel.
Also I get occassional spam from companies selling keystroke recorders that aren't just invisible, but they encrypt the keystroke files and upload them to a location of your choice. They say this is meant for employee monitoring...
Such monitoring, by the way, has been held to be legal by the courts.
Michael D. Crawford
GoingWare Inc
-- Could you use my software consulting serv
The SCARIEST part of the whole thing is:
FBI attorney: The suspect uses something called PGP, which prevents us from viewing his email and, combined with other evidence we have gathered while surveiling him, constitutes probable cause that he is using his computer for legal activity.
Judge: Okay, go get 'im.
Software does not equal intent. Not with PGP, not with Napster, etc.
Goat sex free since 2001