Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Bugs Keyboard of PGP-Using Alleged Mafioso

Posted by michael on from the pretty-good-break-in dept.

Sacrifice writes "The Philadelphia Inquirer reports on a criminal case which will challenge the authority of courts to permit FBI agents to surreptitiously plant keystroke-monitoring bugs, which are not regulated by current federal wiretap legislation. Also, David Sobel from EPIC notes that it is now a matter of record that the FBI can, and does, conduct surreptitious entries to counter the use of encryption (see FBI application for breakin and the court order granting permission)."

13 of 301 comments (clear)

  1. Keystroke taps get EVERY keystroke, even pre-^H by isaac · · Score: 4
    Remember kids, your keystroke logger records EVERY keystroke. Typed out a phrase that might be a little too strong, but then thought better and erased it? Logged. No opportunity for revision, as soon as you press the key the FIRST time, the event is recorded, even if it was never saved to a file/sent in email/sent in chat.

    You could type "I accept suitcases full of cash in exchange for contraband" at a random and inappropriate time, and it would be logged, even though your sentiment was not reflected in any saved file or communication.

    Creepy, when you think about it. How many times have I thought better of saying something in chat or email, for fear of it being interpreted the wrong way, and erased it before sending? More than a few times, anyways. If my employer or my gov't had tapped those messages at the keystroke level, I might as well have sent them the moment I typed them. Ugh.

    -Isaac

    --
    I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
  2. This is GOOD news for crypto enthusiasts by Daffy+Duck · · Score: 4

    It seems to me that this tale shoots down the government's primary argument for trying to restrict the public's use of cryptography. Their battle cry has been "we must be given the crypto keys, otherwise we won't be able to conduct the sort of wiretaps we've gotten used to". But as this story demonstrates, they can still conduct wiretaps the same way they always have - by physically going out and tapping some wires. Bravo, FBI boys!

  3. Keep Your Laptop in a Safe, install tripwire by goingware · · Score: 4
    Well here's some security tips for you.

    Research what laptop will run Linux real well.

    Get some cash together and drive to a distant city and buy a laptop right off the store shelves. There won't be a chance for anyone to plant a bug in it.

    Wipe the hard drive and install Linux on it. Install the Linux encrypting kernel and keep all your real files on an encrypted volume.

    Install Tripwire on the machine - it verifies the integrity of important files to be sure they aren't patched.

    Learn how to administrate your machine effectively. Always log in as a non-priveliged user and never become root unless you really need to.

    Learn about security and tighten down your machine. If you care about security on your laptop you're not going to be running a webserver but I bet a lot of you are running both Apache and SAMBA on a standalone user machine without even knowing it. The more services that are disabled the less anyone can screw with it, even on a non-networked machine.

    Don't ever let the machine leave your sight. If you have to put it away, lock it in a safe. Do something to the safe that will enable you to tell if someone's blackbagged you - something like the trick of wedging a matchstick in your door when you leave, but something more concealed. If you find the matchstick on the ground when you return, someone's opened your door.

    Best of all don't use a computer for anything of real importance. You can find out why you shouldn't by reading The Forum on Risks to the Public in Computers and Related Systems for a while.


    Michael D. Crawford
    GoingWare Inc

    --
    -- Could you use my software consulting serv
  4. You are naive. by Nonesuch · · Score: 4
    It's not just a question of whether you have done anything illegal.

    Perhaps you hold political opinions that are unpopular with the current administration. Maybe you have your local mayor upset at you for campaigning against him last election. Maybe you are a journalist who has published stories that upset the FBI. Perhaps your ex-girlfriend has taken a job in the local field office.

    Get the wrong people mad at you, and you too may find out that government agents have added some tiny components to your computer...

    When the sources for your news stories are found dead from a "self inflicted" park in Washington

    When you lose every project you bid on to competitors who underbid you by exactly 3%

    When the conservative christian boss of your same-sex lover "somehow" gets a copy of your last mash note.

    When somebody says "If you aren't guilty of any crimes, you have nothing to fear", remember it's not question of whether you are guilty of crimes against the law, it's not a question of paranoia. The question is, have you committed a crime against somebody else's god, have you done anything that somebody else wishes was against the law, is there anybody who would benefit from hrting you?

    If the answer is "yes" to any of the above, then you do have something to fear from this sort of "wiretap" activity.

    --

    I do not deploy Linux. Ever.
  5. So, whatsamatter with you? by www.sorehands.com · · Score: 4
    As one person mentioned, a court order was done to permit this.

    The article missed one important point -- they were intercepting communications!. Even though it's from keyboard to computer, it's still communications over a wire (unless via a IR port). If it's software instead of a hardware unit, it is still intercepting the keyboard messages as it gets passed through the message queue (and windows). And if it was not authorized, it would be a federal crime of unathorized access to a computer.

    --
    Fight Spammers!
  6. Re:Calm Down! by slashfucker · · Score: 4
    i hope you're not serious, because you mangled the FUCK out of that quote. There is a great deal of confusion about who said that quotation, and how. The main consensus is that it was either Ben Franklin or Thomas Jefferson. Here are a few examples from around the net of how people attribute that quote:

    Benjamin Franklin
    "Those who would sacrifice liberty for safety deserve neither"
    "Those who would sacrifice essential liberty for temporary safety deserve neither."
    "Those that would sacrifice liberty to obtain a little temporary safety deserve neither liberty nor safety"
    "Those who will sacrifice vigilance for liberty deserve neither."
    "Those who would sacrifice essential liberties for a little temporary safety deserve neither liberty nor safety."
    "Those who would sacrifice liberty for security deserve neither liberty nor security."

    Thomas Jefferson
    "Those who would sacrifice Freedom to gain Security, will not have, nor do they deserve, either."
    "Those who are willing to sacrifice freedom for safety, deserve neither."
    "A man that would sacrifice his freedom for security deserves neither."
    "Those who would sacrifice a little freedom in exchange for security will have neither."

    So who actually said it? Drum Roll please...

    Charles Louis de Secundat, the Baron of Montesquieu, or Montesquieu for short. In 1774, the ideological father of the Constitution wrote:

    "A man that would sacrifice his freedom for security deserves neither.
    The God who gave us life gave us liberty at the same time."     -Montesquieu, The Rights of British America
    So you are all obviously a bunch of cunts.

    Love,Slashfucker

    --
    Gee, looks like somebody doesn't want
  7. (Not So) Easy Answer by Seumas · · Score: 5
    Everyone should be using encryption for as much as they possibly can. When it is realized that 99.999 percent of decrypted information is fluff and noise, it'll be too much of an effort to process every bit of encrypted data. Otherwise, encrypting selectively is just like holding up a giant flag saying "read this!".

    Of course, it's more difficult when 99 percent of the people you communicate with do not -- either because of lack of initiative, understanding or capability, use encryption and wouldn't know or care what to do with the encrypted information you send them.
    ---
    seumas.com

  8. Get worked up! by geophile · · Score: 5
    So ask yourself, which is more important to you, seeing mob bosses, terrorists, and child pornographers get caught before they can hurt anybody, or protecting yourself from having some FBI bureaucrat reading over your shopping list?

    I think you're serious, so here's my answer: It is more important to me to protect myself from having FBI agents (not bureaucrats, agents) reading my shopping list, my political manifestos, my notes on how to protect myself from script kiddies (proof positive that I'm a hacker, after all), and my (probably) fictional account of Dubya and Jim Baker exchanging bodily fluids (not intended for publication).

    The FBI has proven that it is not above using its power for political purposes.

    If the FBI were not free to violate the 4th amendment, we wouldn't have anarchy -- we'd simply have a tolerable FBI. Do you really believe they'd have (your words) no power if they had to respect the 4th amendment?

    1. Re:Get worked up! by GMontag451 · · Score: 5
      This is America! You aren't going to be persecuted for harboring seditious ideas.

      Someone doesn't know his history very well. Every time this country has been in conflict with another country in the past 100 years or so, people with anti-government sentiments, or even people with backgrounds that might lead to anti-government sentiment have been rounded up and put into prison, internment camps, etc.

      Witness the most recent example, internment camps for the Japanese and Italians during world war 2. This was the cause of a direct exectuive order! Or how about all the people arrested during WWI and the period right after for being communist. There was even a law passed by Congress saying they could! Look up the Alien and Sedition Acts.

      So next time you just blindly assume that because we are in America, we actually have rights and crap, think a little harder.

  9. Could be much worse by CaptainCarrot · · Score: 5
    I'm far more comfortable with this sort of approach, where a single individual is monitored after law enforcement officials go through appropriate due process, than I could ever be with something like Carnivore which, with a slip of the configuration file, can indiscriminately intercept communications from anyone on the network.

    This isn't really any different than what the FBI goes through to put a tap on the telephone line. When they're going after organized crime, this sort of thing is both necessary and proper -- as long as it is governed by due process of law and nobody's privacy is needlessly invaded.

    --
    And the brethren went away edified.
  10. Please Read "Why You Should Use Encryption" by goingware · · Score: 5
    While I guess this goes to show that it's not unbreakable (do you keep your laptop in a safe at night?) I think in general it gives good motivation for why you should read my page:

    Why You Should Use Encryption

    In the article, I try to discuss in as approachable and as convincing a way as I can why everyone, even your mom, even your kids should use cryptography.


    Michael D. Crawford
    GoingWare Inc

    --
    -- Could you use my software consulting serv
  11. I wrote Last Resort - keystroke monitor by goingware · · Score: 5
    By the way, my very first commercial product was Last Resort, a keystroke recorder from Working Software.

    It ran in only 8 kb of memory and we specifically advertised that it would capture:

    • Text that was backspaced over
    • Text that was typed and then highlighted and deleted
    • Text that was typed and never saved
    • Text that was saved but lost due to file corruption or accidental file deletion
    It would save everything, even your backspace characters. You could use those to help you reconstruct your file.

    Last Resort Programmer's edition will save menu key equivalents to aid testing and debugging and tech support. It helps you reconstruct the sequence of events before a crash.

    And yes it would capture passwords but we had the option to pause it or disable it entirely.

    I wrote the Mac version but it's available also for DOS and Windows (written by other guys).

    Although we tried to make it very obvious when Last Resort was installed on a machine, we get occasional email from people asking how they can make it invisible. We don't tell them, but really if you want to make a hidden keystroke recorder it's pretty trivial.

    Don't just worry about the FBI doing this to you - worry about your employer or loved ones. Not long after I shipped Last Resort, one of the editors of MacUser Magazine thanked me personally for it because he'd caught his girlfriend having an online affair - her hot and heavy emails were in his keystroke file.

    He later wrote a novel that talked about a lot of software products with fictional names but that were obviously taken from real products. I'm proud to say that the faux-Last Resort saved the world in his novel.

    Also I get occassional spam from companies selling keystroke recorders that aren't just invisible, but they encrypt the keystroke files and upload them to a location of your choice. They say this is meant for employee monitoring...

    Such monitoring, by the way, has been held to be legal by the courts.


    Michael D. Crawford
    GoingWare Inc

    --
    -- Could you use my software consulting serv
  12. PGP = probable cause? by perdida · · Score: 5

    The SCARIEST part of the whole thing is:

    FBI attorney: The suspect uses something called PGP, which prevents us from viewing his email and, combined with other evidence we have gathered while surveiling him, constitutes probable cause that he is using his computer for legal activity.

    Judge: Okay, go get 'im.

    Software does not equal intent. Not with PGP, not with Napster, etc.

    --
    Goat sex free since 2001