Slashdot Mirror
FBI Files Brief on Scarfo Keylogger
Firewort writes: "In an affidavit (warning, it's a PDF) filed with a federal court in New Jersey, the FBI has disclosed some of the details of a controversial "key logger system" used to obtain the encryption password of a criminal suspect. They go into great detail describing PGP and the different methods they might have used to keystroke-log Scarfo to get his encryption key." Interesting, and more technically sophisticated than the basic keyloggers which grab keystrokes indiscriminately.
I thought it read Scarface keylogger. I was confused to say the least. Is this STILL a big deal? You would think in the wake of the Terrorist Activities they would be giving the bureau a lot more leeway in surveillance...
What, me worry?
As long as they have a warrant I think this should be legal for them to do. In a few years it will be obsolete since we'll have bio-interfaces to our computers. Lets see them tap into that without us knowing!
Why "warning -- it's a pdf"
Is there something to fear from PDFs?
How about just: "note: it's a pdf"
I suspect it's only a matter of time before motherboards come equiped with a "blackbox" type of thing, similar to a flight data recorder. They could store, say, the last 10,000 keystrokes on any keyboard. Does such a thing exist?
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Speaking of "if you are important enough" and "all is takes is application of resources", I was recently reading through some of the briefs in the US v. Scarfo case. It sounded to me like the FBI got frustrated with his use of PGP and went with the keylogger approach. I was under the impression that the government had the resources to actually break some of the encryption schemes that are lawfully available in the US. It takes them time and a lot of computer horsepower, but I thought they could do it. It seems that the FBI didn't want to have to use all these resources in the Scarfo case and take the time to do it that way, so they used a logger. The material I was reading came from www.epic.org. It was interesting.
The key to fooling the keylogger is to use a blank password, of course.
FBI recruiters who are reading this: you know where you can contact me about that job offer.
It's important to note the fact that it doesn't log all keystrokes for 2 reasons:
1) It's impressive. Less keystrokes logged that could be potential passwords, the less manpower required to examine the logs.
2) It leaves potential exploits open for crypto software writers and users in order to trick keystroke loggers into passing them over without recording the activity.
On another note, Bruce Schneier has always reminded people that a secure system always includes at least 2 out of three things: Something you know (password), something you have (ATM card), or something you are (biometrics, fingerprint).
My point is that
Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password. Or, the person could just always keep the password key on a CD-ROM that they physically take with them and can destroy at a moment's notice.
ROOTKIT - Remote Objet Oriented Telecommunications Knowledge Intelligence Technology
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
that the FBI was so concerned about not capturing anything but the passphrase for the PGP key? Call me a sceptic but I'd say that the affidavit merely states this to either make it seem like they really know what they are doing, or to appease whatever restrictions the warrant for their entry to the premises and 'bugging' of the computer allowed.
I would seriously doubt that if this 'device' was capable to record every keystroke as they claim, that if they had the opportunity to sift through Scarfo's (outgoing) email/online banking/Adult-Check/etc. they wouldn't.
I was under the impression that part of the reason that it didn't log everything was to keep from possibly recording communications (Which would need a different kind of court order, along the lines of a phone tap).
It'd be a pain in the ass to destroy a CD-ROM "at a moment's notice"
Why not just make it a law that if the government serves you with a legal "warrent" declaring that you must provide them with the requested passwords? Using a keylogger to get someone's passwords is like going about pick locking someone's front door and jarring the windows open instead of just knocking and serving them a warrant.
Anybody out there know what it was? The affidavit implies that it was put into court records at some point in time (at least the output of the KLS was). Just curious, thinking its something like NickyS or BaddaBing.
hey -- good idea! they should totally make that open source.
Even if a keystroke logger recorded every single keystroke... if you were to copy and paste a password, say you put it in a text file on a floppy on a different computer.... wouldn't this render the keystroke logger useless? It would have to also record the contents of the "clipboard", no?
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Just grab the edges and bend til it breaks, I do it with failed CDRs all the time. Good stress reliever.
What, me worry?
How can we let the FBI use a closed-source Keylogger? If it were open source, we could verify that they aren't "wire-tapping" communications with it. I think there should be at least an independent review of the code...
Use a diskette and carry a magnet with you.
:)
$0.02 (CDN)
The affidavit says that Scarfo used a Windows OS.
Coupled with the DOJ ruling, it just goes to prove that M$ Windows is an operating system written for criminals by criminals.
Just because you're offline at the moment, your email is subject to being searched without a wiretap order? That's what the affidavit seems to be implying. Does this make sense?
Wonder what they'd use as their carefully-crafted excuse to get around the ECPA if he'd had broadband?
Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password.
This wouldn't stop the FBI. They could obviously take his fingerprint and probably make some kind of cast based on that to replicate it. A swipe card could be subpoenaed in court too.
Oh my gawd! I just spent the last 10 minutes reading that
;)
crap!!! bleh!!!
I'd rather just slice the eggplant into many small pieces,
fry 'em with some soy sauce, and consume them
(yeah this is offtopic but I thought it was important - must be
the mood I'm in today)
I certainly wouldn't want to retrieve it after that disposal method.
What, and get loads of cyanide particles released into the air? Way to go!
Maybe put a barcode on rice paper, then. *shrug*
Only the dead have seen the end of war.
When I read this headline, I thought, Scarfo is a pretty sensible name for a keystroke logger.
Yeah, but does that really destroy the CD beyond hope of recovery? I'm not up on CD Recovery technology.
Perhaps what's needed is a USB dongle, with an external switch that fries the flash RAM inside, rendering it unusable, and unreadable even to people trained in data recovery. Then again, if you have one, you obviously have something to hide, so expect the government to make them illegal soon.
Couldn't you have your serial keyboard plugged in, then
when you go to use your pc, go to another room, take out your
nice USB keyboard, then plug that in and use that instead?
Wouldn't it be funny seeing the feds puzzled faces - you've been
sending all sorts of PGP'd email in the last month, and all thier logger has registered is "haha MOFO's!!!!" - LOL!!!!
My point is that ...
Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password.
That does not work, if the fingerprint reader/card reader is in the keyboard (or the logger logs it also). Same with biometrics.
But what about giving visual feedback in a very complicated, hard for software to analyze way that adds some blinding layer to the key, e.g. by XOR? Like giving the user a number to add to the current password position in a video? Then the password would never go unprotected through the input chain, and only the combination of input and output would yield the password. No complete protection, but a $200 Keylogger would not have a chance against this.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
Voice recognition.
THIS is an interesting little statement. It says nothing about what they DID use, merely what they COULD have used. And since it's probably not an exhaustive list, the actual method(s) used may or may not be contained within it.
It's important to not assume that the FBI are being malicious in what they've put in this brief, but it's equally important to verify what is being said. The FBI are not the most open organization in the world, and it would be erronious to assume that a court filing will be any more open than anything else they publish.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I would think that it does, especially if its a CDR which its likely to be.
What, me worry?
Disk blanking with a magnet does not work, I tried. I could not even produce read errors with a fairly strong small magnet. And a static magnetic field only weakens the data on the disk, it does not erase it. With special equipment (for maybe 10.000 Euro) you can still read it in may cases.
To blank a disk reliably you have to have a changing magnetic field strong enough that the battery needed for this would probably be hard to carry. On the other hand, burning it is far more secure and can be done with a portable blowtorch the size of a lighter.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
Perhaps what's needed is a USB dongle, with an external switch that fries the flash RAM inside, rendering it unusable, and unreadable even to people trained in data recovery.
Well, there's the Dallas Semiconductor iButton. It includes tamper-resistant features that will zero its RAM under certain conditions (e.g. over-temperature), although it doesn't have an actual "erase" switch.
What, me worry? Nahhh!
Friends don't help friends install M$ junk.
Since the device(s) "wasn't supposed to" capture non-passphrase (probably through identifying the unique PGP pop up window) keys, if you for instance typed in the passphrase into an email's To: field then copied and pasted into the PGP window you wouldn't need to have it in plaintext somewhere on your computer or floppy (eck!)
It'd be a pain in the ass to destroy a CD-ROM "at a moment's notice"
Not if you carry a microwave oven everywhere you go. Try putting a CD in the microwave for 2 seconds. It gives it a nice faux antique look.
To ensure perfect aim, shoot first and call whatever you hit the target
and how about that bit of software that validated your rhythm of typing the password?
and what about a TSR that transposes bits on the letters you type when you hold down CTRL-ALT-WINDOWS before stuffing them back in the KB buffer, effectively changing the letters you type?
Just use the windows character generator. When you need to enter a password, click it into the windows character generator and copy the resulting string and paste it later. No keyboard interface is ever required.
Of course, then you're vulnerable to those things which remotely view monitors (Van-eckman scanners?). But I suppose if you're really paranoid about something like this, you would actually search for a keyboard logger first and put 3 other monitors nearby to create interference. So I guess it's all academic.
-Ted
The FBI is lying or at least giving themselves the benefit of doubt.
The computer had speakers attached (know from other source that has covered the case) so the sentence in the affidavit
"The FBI knew that when the modem was not activated the computer was not acting as an electronic communications device".
How do the FBI know that the speakers was not outputting something that was send clear voice over the phone lines?
Help fight continental drift.
Mind your manners and show some respect; it's "Mister Scarfo", thank you very much.
FBI points to keylogger: Say hello to my little friend :)
Then again, if you have one, you obviously have something to hide,
Naw, that isn't true at all.
Every Libbertardian doughboy wannabe on Slashdot would buy one. Because they have so many secrets to hide from the gummint.
hahahaha
*snort*
hahahahaha
Or you can always use a microwave. The effect of a microwave on a cd is quite spectacular. 5 seconds should be more than enough to destroy the disk.
Assuming that the version of PGP that was in use was one of the "source available" versions, why didn't the FBI simply alter the passphrase dialog code to store a plaintext version of the passphrase someplace on disk? All they'd need to do is re-install that portion of the application, and hope that the "bad guy" didn't do regular PGP sig/checksum comparisons against his installed programs (and how many of us do that?)
-Eldurbarn
I don't know the American law very much. But as far as I know it's illegal to circumvent encription after the DMCA, isn't it? Would it be possible to fight against this keylogger citing the DMCA?
The guy's essential point: "We designed the keylogger so that it wouldn't intercept anything which might be a 'communication,' for example by disabling it any time the modem was active. Therefore it cannot be considered an intercepted communication, so we are exempt from the provisions in the wiretap laws. Oh, and we only logged for 14 days, instead of the court-allowed 60 days, so we weren't invasive at all."
That's all well and good, but all they are doing is trying to prove the point that the wiretap laws don't apply in this case. They are understandably worried about this, I think, because internally they know damn well that this operation was functionally equivalent to a type of wiretap.
If Scarfo's lawyers are smart, they will hammer home a simple analogy to what went on: the Feds essentially monitored every keystroke entered into the computer over a two-week period, with the exception of those times when the modem was on. Substitute the words "desk lamp" for the word "modem" (not a perfect analogy, I know, because you don't normally communicate with a lamp, but still...) and it makes the point a little more clear.
The bottom line is that this keylogger constituted a standing, two-week long, continuous search of the guy's work on his computer. No different, really, than hiding an agent in the closet of his office to look over his shoulder as he typed. Put that way, it may be a lot harder to defend their actions before the Court.
[disclaimer] Scarfo may very well be a corrupt, guilty scumbag -- but I think bending the law in such a Machiavellian way is not the right way to go about it. [/disclaimer]
...are condemned to repeat it.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Huzzah!
The FBI only logs keystrokes while the modem was not active:
Why ? It make no sense to me. If Scarfo did the encryption/decryption while he was online the KeyLogger would be useless.
MOD THE CHILD UP!
It's circumventing a content protection method, so I don't see how this is much different than DeCSS.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Did anyone read that whole thing? It seems that the FBI had a keystroke logger that only came on when the modem was off, with the belief, I assume, that the computer isn't a communication device unless the modem is on.
So then the wiretap laws wouldn't apply when the modem is off? Is my interpretation correct?
Strange loophole..
I don't know why the FBI has made such a fuss over this. I purchased a hardware key logger from http://www.keyghost.com/ weeks ago. Why? Because if I ever had to perform a PGP passfrase audit this would be the only way to go.
If it's a CD-R, then the dye will end up all over your fingers and the floor - tough to recover IMO.
If it's a regular CD (unlikely due to the circumstances) then you could try to microwave for a minute or so (the aluminum layer will crack in an interesting pattern).
Attack: Insert a logger in between the computer and the device that reads cards/fingerprint etc.
Interface between computer and something thought to be personally secure (the person, or a smart key he carries, etc) must be resistant to MITM and logging attacks.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
What about turning your doorframe into a big electromagnet, like in Cryptonomicon? Would that be a big enough field?
OTOH, you'd have to sit the computer *well* back of the door unless you've got some sort of shielding in place, which would defeat the purpose..
Feel the fear and do it anyway.
He stated that he has a PhD in Life Science.
Is that one of those mail order degrees that you can buy from spammers?
what about a password that's not text? a friend of a friend, has a cuecat (with some minor modifications of course) ... but, he scans a moutain dew bottle as his password. it also adds a carraige return to the password for you :)
:)
after this, it's a heck of alot better than the cutting/pasting idea, or even the manually typing it in...
i wonder scanning a mountain dew bottle would hold up in court as an encryption methond, so it's DMCA friendly
Runnin' On Empty
OK,
- B
http://www.bradheintz.com/
- updated
Right as I hit the submit button, it occurred to me that on most systems you can switch apps with a passphrase dialog box open, thus using an intermediary app to paste text isn't needed. ;)
(If there is no one to look over your shoulder (Van Eckman) then a intermediary app does let you check your cut'n'paste spelling...    
______
Once: you're a philosopher. Twice: a pervert.
In other words, when you buy a computer from Dell they will present your order to the FBI complete with your name and address (of course) asking what additional components they would like installed on your computer, probably using a web page similar to the one that lets you configure your computer.
Drop down menus that let the FBI say, "yes I'd like a keylogger", or "ooh, I'd like the built-in surveillance camera too!"
And then the computer is built and delivered to your door.
Is this truly the only Earth I can live on?
What is a key stroke reader, a device that is inserted between your keyboard and computer. You use the key stroke reader as a replay attack, replay their entered password. So just stick a finger print logger between the finger print scanner and the computer. Then used the captured and recorded digital handshake from the fingerprint scanner and the computer to replay a finger. A cdrom scanner could be configured in the same way.
Now how to be safer.
Use openbsd, with an encrypted filesystem and swap. Everytime the feds serve a search warrent. Sell your old computer, buy a new one keeping the hard drive. Use dd to copy over the hard drive information, destroy the old hard drive.
Other things you need to consider. The feds could install an video bug above your keyboard on the ceiling. Also the radiation eminating from your keyboard cable and monitor could be passively monitored and data recovered. I recomend using lap tops and conducting business from inside a limo using a wireless conection. Replace the limo if their is ever a possibility police involvement. If you are running a drugs/prostitution/gambling empire you should have more then enough money to make up for the extra expenses.
I was under the impression that the FBI used a hardware hack to capture the keystrokes - but according to the affidavit the KLS wouldn't capture while the modem was on (getting around some sort of wiretap regulation). So it would have to be software, right?
The affidavit does point out a tastey loophole: enter your passwords only when you're online.
Couldn't be hacked if the card reader sent a 1-way encrypted hash instead of the info on the card. The key could be based on an algorithm that came from a retnal scan + your weight.
something like this?
http://www.ealaddin.com/etoken/pro/
although it doesn't have the self-destruct switch =) but the point of having strong encryption is that even if the dongle was stolen, it wouldn't be worth the computational effort to extract the info, right?
Like you can stop them? I'd LOVE to see the legislation and/or resulting lawsuits on that one.
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
<nitpick>It'd be a pain in the ass to destroy a CD-ROM "at a moment's notice"</nitpick>
This can be done in 3 steps:
1) Stick a pice of tape on the CD, leaving a "tab". (press firmly)
2) Pull tape off CD.
3) There is no step 3.
couldn't they've just replaced the executable/DLL with a compromised version that emails the password to the feds? Duh! The feds should be _glad_ that the source is available!
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
It's impossible. Every concievable identification device must interface with the computer at some point, and be exposed to the user at another. Any method of input is vulnerable to a sufficiently motivated and wealthy advisary (eg the US/Russian/Chinese government, Microsoft, the Catholic church, or whoever). The point to remember is physical access to the hardware trumps any computer security measures.
If you want to be really paranoid, check your computer every few days. Look for dongles or adapters you don't remember putting on. Use keyboard cables without ferrites, they could be replaced with a keylogger. Epoxy over the heads of your keyboard screws. Look inside the computer case, see if anything has been added or moved. Then, if you find a key logger, fill up it's entire memory with "h4h4! j00 5ux0r!!" ^_^
0 1 - just my two bits
Okay, I'll bite. How exactly does this destroy a CD?
Wouldn't they only be able to read mail sent to him if they had his PGP passphrase? It's not illegal to receive incriminating letters, right? (If it is, I've got some mass mailing to do ;-)
My other car is first.
Just use images? Just have a program generate images and randomly place them on the screen. Click an image to select a character or characters. Then use these character(s) to encrypt or decrypt. No keystrokes used. And recording mouse movement wouldn't help. And if the program can be randomly seeded, even recording screen shots wouldn't help if you don't have access to the 'seed'...
I look at this another way. How secure do you want to make your information? You should be able to use strong encryption for anything you like. That should help to protect your privacy.
When the FBI or police has enough evidence to get a search warrant, they then have the right to see the contents of your encrypted files. If they turn up anything related to the scope of the search warrant, then that should be used as evidence against you. Encryption is not to protect you from being convicted of crimes, it is to keep your information secure from outside parties reading it.
Brought to you by Team SPAM! where we believe: "Information in the noise!"
On another note, Bruce Schneier has always reminded people that a secure system always includes at least 2 out of three things: Something you know (password), something you have (ATM card), or something you are (biometrics, fingerprint).
I've always wondered about the logic behind this. All you're trying to prove is identity, right? If you can indentify me biometrically, you don't need a stinkin password, or god forbid a one-time pin card.
I believe a bank was beta testing ATM machines which used iris recognition. You didn't even need an ATM card, just put your eye to the machine. I was impressed by their insite...shrugging of the old school mentality.
Kind thoughts do not change the world
On cheap CD-R media, this will rip off a layer of paint and the metal substrate beneath.
This happened with a commercially manufactured CD I had in a plastic CD sleeve in my car. When I took it out of the sleeve, most of the aliminum substrate ripped off. That disk is now the most expensive coaster in my home.
The affidavit was extreemely vague, but a close reading reveals details most posts seem to get wrong.
The FBI had a search warrant. Based on this they installed two or more "components" in someone's computer. The court records contain data from two "components".
The first component was key logger which recorded every thing he did. It had one odd property though. It turned off while the modem was active. This is a technicality to try to avoid needing to satisfy the much higher legal requirements for a wiretap.
The second component was much more specific. This component captured the password and related data directly from the encryption program, not from the keyboard. Password entry through copy/paste, disk, and/or mouse entry would not get around this.
The affidavit is very careful not to say if the components are hardward or software. IMO the second component has to be software.
I think the real issue is that the purpose of a search warrant is to SEARCH. It does not/should not allow installing things in/on your propery, and it does not/should not allow you to be recorded. IMO it's the same as the FBI installing video cameras all over your house based on a search warrant. It's ok though, because the cameras turn off when you're on the phone. (groan)
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Obviously, this would have to have at least some software, even though if it's a hardware keylogger, because the document implies that it's context-sensitive (doesn't capture keystrokes that get sent out over the modem.)
Also, the obivous question: how did they install the keylogger in the firsrt place?
Any conspiracy theorists wanna bet that Microsoft has had such backdoors (eg, blank areas in KERNEL32.EXE or the like where the FBI, etc could covertly upload arbitrary code, if triggered by say, inserting a floppy with the right code in the bootsector, etc?
There's 10 types of people in this world, those who understand binary and those who don't.
Depends. I think for a doorframe that deletes floppy disks you should get a superconducting inductor to keep the cost down.
And it would be dangrous with anyting magnetic in your body or around, see e.g. this item of the Risks Digest for what can happen.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
Ummm, actually, given that some fingerprint readers (or other bio scanners...) feeds their output to the computer for approval by a piece of software - that could be captured and would be subject to a replay attack.
Even readers which do the authentication inside the reader still have to send *something* to the computer indicating approval, and *that something* is subject to capture and replay...
Which leads into my whole "phooey on biometrics" belief - at some point that reader's gonna say you're good to go - so attack it at that weak point... (same argument applies to those useless prox card readers...)
Until recently I had thought the hardware approach more likely. It's easy to install a bug in the keyboard cable, and such devices already exist on the market.
But one passage in this affidavit caught my attention:
A hardware device would have been easy to install even if the computer wasn't "operative" (as long as it was actually there). This strongly suggests that the logger consisted either of software modules hacked into Windows, or possibly a hack to the BIOS firmware.
The software/firmware approach does have the advantage of being less easily detected by a naive user. The average Windows user wouldn't have a clue as to how to look for cleverly hacked DLLs or system programs.
Still, once the threat is known the countermeasures are pretty obvious:
Use an open-source operating system that can easily be rebuilt from trusted sources
Use Tripwire to detect modifications to system programs
Improve physical security. Use a laptop and keep it in a safe when not in use. Use IR motion detectors, to quietly log any intrustions in the vicinity of the safe and/or computer.
Anybody have any other ideas?
If you want to be REAL paranoid...
.25 inch steel plate. Add ventilation holes. Put the computer inside, maybe with a UPS as well. Run cables out of it via romex sheathing to power and monitor, and weld the romex to the box. DO NOT hook up any printer or modem - or if you do, place it in the box with the computer.
Build a large steel cabinet, using
Create a wireless IR keyboard interface, with one of those mini keyboards - plus possibly custom software drivers and/or hardware interfaces for it. Provide a hole so that the IR x/r unit can "see" out of the box to the keyboard.
Lock the box up in some manner - tack welding might be preferable. Add a power switch to the outside of the box, maybe a few status LEDs.
Take the keyboard with you whenever you are not with the machine. Perhaps sleep with it under your pillow, or put it in a safe under your bed or something. Follow the rule about using epoxy on the screws. Maybe put seals over the welds, or take pictures of the welds to compare with every now and then (say once a week). You might even want to place the monitor in a copper wire mesh bag or Faraday cage, propely sealed and grounded for stray RF emmisions. Maybe not even provide a modem, only a floppy drive of some sort - and do all decryption of that secured machine. Won't stop "them" from tracking who/when you comm with other parties (ie, traffic analysis), but will keep them from logging you.
If you are truely needing this, you will see that what I suggest is actually worthwhile...
Reason is the Path to God - Anon
A glove would disrupt the heat mind you..
-
ping -f 255.255.255.255 # if only
Well, obviously, the FBI is doing some creative sneaking around the law to avoid intercepting electronic communication. Great, clever work. But, what we can infer from this is that the FBI or the NSA does not have a very good grip on PGP. If the government had PGP cracked, there would be no necessity for a key logger.
YES: Ban cars - mass transit only!
If personal vehicles are required, then they must be automated! Humans are far too emotional and subjective when it comes to the laws of physics.
> Interesting, and more technically sophisticated
// Keydown
> than the basic keyloggers which grab keystrokes
> indiscriminately.
If (PGP == RUNNING)
{
for (k = 0; k 256; k++)
{
if GetAsynchKeyState = -32767
log(key, time);
}
}
How sophisticated is that? Lame...
_____________________________________
Do YOU have "Nagelsvamp"?
www.nagelsvamp.nu
My computer is permanently commected to the internet or 'communicating' by the means of a netword-card. i think the difference in function between a modem and a network card is tuite small. so sollowing the line of thought: is my network card is functioning, it's not allowed to grab keys :)
sim-ple.
Privacy is terrorism.
if they have physical access to the machine and
are able to tamper with the kernel code, they can run something as simple as an expect script underneath that will never be detected and grab all info from the keyboard or any input device, , run a daemon that sends them the info every 15 minutes and read your mail. You are screwed once they have gotten in.
Just some idle speculation as to the nature of the keylogger. Based on the FBI affadavit I would say that it was a 100% software solution. The functionality required to keep the KLS 'legal' seems to preclude a hardware solution. The statement regarding the installation of the KLS in my mind confirms that no KLS hardware was present. Lets examine the requirements of a 'reasonable' HW KLS system. A HW device in the keyboard would probably be undetectable, but it would have no way of knowing about the com port or whether the PGP application was active (Remember, the KLS only logged PGP relevant data). There would also seem to be no practical mechanism to transmit that info to a keyboard based device. Next, what form would a HW device in the PC take and how would it interface so as to seem to be part of the computer? What would a HW solution accomplish that couldn't be done in a less risky fashion than a SW solution? As a third supporting argument, note that the FBI said that they needed physical access to the PC in order to retrieve the KLS data. Note as well that they said they physically entered the premises 5 times, the first four times the computer was either not present or not operable, which would indicate that the PC must be running in order to retrieve the data. It would be reasonable to assume that a HW KLS would not require the PC to be switched on in order to retrieve the data. Now, lets look at the benefits of a SW device. One, it can be very easily hidden as a Vxd on bootup. Two, it is trivial to erase logs regarding its installation. Three, it can easily know whether a com port, printer port, USB device or whatever is active from the OS. Fourth, it can monitor the running applications or processes and be set to only log when a certain process is both running and has focus on the screen. Fifth, it is virtually undetectable to the average user - who checks their registry to see if there any strange device drivers running? Sixth, why bother to install a separate device driver anyway, why not just patch a system device driver such as the keyboard one so that no new entries are added to the device driver table. Seventh, what if Scarfo's PC was a laptop? Where are you gonna stick a HW device in that? Moral of the story - if you are a crim wanting to protect your data use Linux or some other open, 'accountable' operating system and know it well, checksum your config files and use a bootlog to identify startup and shutdown times. Also password protect your computer with a power-on BIOS password. You should also consider getting a laptop with a lockable cover and no external kb/mouse/vga ports.
Anyhow, now this thread has been started, anyone else want to speculate as to the nature of the device? Remember, the FBI is composed of people just the same as you or me. They also follow the KISS principle in designing their techno-gadgets. They are neither smarter or dumber than the rest of us and approach problems just the same as the rest of the educated population.
Why not? Simple. If word got out that the US government could break PGP, everyone who cared about securing their communications from the US government would switch to something else. Governments take extraordinary measures to protect outside knowledge of their cypher-breaking capabilities. Go read some books about Enigma (or, if you want the story with a bowlful of Claire Danes, wait for the upcoming movie :) ).
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
From the java ibutton web page:
Specific intrusions that result in zeroization include:
Combine that with a firewall they say is running on it, the fact that it has an unalterable clock, and that it has a unique serial number, both engraved on the outside and burned into ROM, this comes about as close to Fort Knox for data as you're going to find this side of classified.
Of course, it does run java, and it would be possible, if you didn't properly secure it, to load arbitrary java code on it and use that to do whatever you (or those whom you want to protect your data from) wanted to do.
The truth about Scientology, Xenu, and you: Operation Clambake
EXACTLY. I won't feel safe until I get one of those palm/cellphone combinations and it's running WinCE that can be replaced with Linux. Of course, it's all for naught if my friends don't use encryption, too.
It used to be great, 95% of my email to my friends stayed within the same BOX for years. We would all SSH in and use GnuPG only when we wanted lasting security. Now my friends are losers and pop their email into Outlook. Now *they're* whining to me that I can't keep up with *them* and get OpenSSL to sign/encrypt email to them in Outlook. Now I feel like I can't talk to them about *anything*!
AAARRRGGHHH!!
Intelligent Life on Earth
Our constitutional guarentees on unreasonable search and seizures, forced testamony, self incrimination, and court decisions like the Miranda decision indicate to me that I have the right to keep my information private from every outside party even the government.
In this case the FBI had, in my opinion, the equivalent of an illegal wire tap.
Strong encryption technology is under attack because it can provide privacy to criminals and terrorists as well as everyone else who desires privacy. In this modern world of street corner cameras and face recognition, and attempts to "outsource" illegal survaillance by getting from cooperative foreign governments we need, more than ever, to have our hard won freedoms defended by our elected officials, our law enforcement officers and our court system.
If you're not living on the edge, you're taking up too much space.
...Leave a Gnutella program running 24/7 (if you aren't paying per minute) and your modem/NIC will always be "active." Who'd have thought we could piss off the corporations _and_ the government at the same time?!
Y'know, if the FBI can get enough access to a room to plant something inside a keyboard, then they can probably also plant a tiny little IR sensor somewhere on the wall. If it's sensitive enough, then it'll just pick up the IR signals from the keyboard. Also, I suspect that with so heavy a unit, one could probably cut a hole in the bottom, and it'd be a long time before anybody noticed. Still, I agree with the general design philospophy. A few changes, and it'd be useful.
Try Dahle's CD-Rom shredder.
http://www.dahle.co.uk/product/new/20190.htm
If you're using Windows, you can hold down [Alt] and type in the ASCII code on the numeric keypad, and get characters that way. I don't think this works in Linux. Another tactic for GUI users would be to pop up a virtual keyboard that sends the appropriate message to the active window when the buttons are clicked with the mouse. I suppose this could be made to work with console apps as well, esp. if it is in a console window. Or, just click away from the window and enter some gibberish in a text editor, click back and enter the next character of your password, click away, rinse, repeat.
Keyboard logger,
Mouse logger,
Tempest Van.
FBI recon: Game, Set, Match.
Hacker:
Spare cherry Keyboard (includes mouse)
Tempest shielded screen
FBI:
Key and mouse logger in motherboard
'bug' on the video card
Hacker:
Internet Cafe'
FBI:
Echelon
Circular, isn't it?
If they are not grabbing files/content then what are they using the key to un-encrypt?
Well, it used to be, anyway...
I use the Commonwealth Bank for some of my online banking, and in it's previous incarnation, their NetBank service used to have a _very_ secure login interface.
It would prompt you for your 8 digit NetBank ID code, and then for your variable length PIN. When the time came to enter your PIN, it popped up a keypad on the screen, disabled keyboard input and you had to click on the keypad with the mouse. In addition, the keypad moved to a random location between every click, so you couldn't even track screen coordinates...
All in all, very secure and very annoying.
They've now gone 'back' to using standard keyboard input and SSL security.
--kai
Specialist Mac support for creative pros, Melbourne
Use cleartext that is part of the system such as text from the man page for the "ls" command. This is an example, but you'd want to pick a lengthy man page. Start and end in the middle of a word. Also, do two or three cut and pastes. One cut would be simple to break. Two or three, and now they are in trouble. becuase there is all kinds of variations on multiple cuts. Or to be really vicious, open a common image file in a text editor and cut and paste from that. There's some entropy!
Remember, You are unique...just like everyone else.