Slashdot Mirror
FBI Files Brief on Scarfo Keylogger
Firewort writes: "In an affidavit (warning, it's a PDF) filed with a federal court in New Jersey, the FBI has disclosed some of the details of a controversial "key logger system" used to obtain the encryption password of a criminal suspect. They go into great detail describing PGP and the different methods they might have used to keystroke-log Scarfo to get his encryption key." Interesting, and more technically sophisticated than the basic keyloggers which grab keystrokes indiscriminately.
As long as they have a warrant I think this should be legal for them to do. In a few years it will be obsolete since we'll have bio-interfaces to our computers. Lets see them tap into that without us knowing!
It's important to note the fact that it doesn't log all keystrokes for 2 reasons:
1) It's impressive. Less keystrokes logged that could be potential passwords, the less manpower required to examine the logs.
2) It leaves potential exploits open for crypto software writers and users in order to trick keystroke loggers into passing them over without recording the activity.
On another note, Bruce Schneier has always reminded people that a secure system always includes at least 2 out of three things: Something you know (password), something you have (ATM card), or something you are (biometrics, fingerprint).
My point is that
Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password. Or, the person could just always keep the password key on a CD-ROM that they physically take with them and can destroy at a moment's notice.
Why would this be strange? Most agents know pretty well what they can, and cannot get away with. The FBI, given some of the problems of the past, is doing what they can to NOT lose a case over a technicality. So creating a tool that allows them to capture only the information they have a court order for is an excellent idea from the FBI. If they got everything, found some new evidence from that illegally acquired information, it would probably get tossed out of court, along with the case (fruit of a poisoned tree).
A law enforcement agency, creating a tool that is designed to operate within a limited court order - shouldn't we be at least somewhat positive of this?
"But we decide which is right, and which is an illusion"
Five or six thousand people died in the attacks on the World Trade Center and the Pentagon. It is a horrid tragedy and I would never try to minimize it, but it pales to the number of people who have died defending democracy. In three of these defining wars, as tabulated below, there were over 350,000 deaths.
This only includes those killed in action or dead from wounds and doesn't include prisoners of war. It seems tremendously disrespectful to those who died creating or defending this country to relenquish our rights, rights earned through their deaths, so easily.
There are also 40,000 deaths per year in the US, not through terrorism, but through automobile accidents. Would you also suggest that for safeties sake we ban the automobile?
Chris Kuivenhoven is a thief, beware
Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password.
This wouldn't stop the FBI. They could obviously take his fingerprint and probably make some kind of cast based on that to replicate it. A swipe card could be subpoenaed in court too.
P.S.: I think part of these "we (could) have broken" statements are also a smokescreen that is intended to make people not bother with encryption, because "they can break it anyway".
Would not be the first diversion with that purpose: If you cannot defeat it, undermine its credibility.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
THIS is an interesting little statement. It says nothing about what they DID use, merely what they COULD have used. And since it's probably not an exhaustive list, the actual method(s) used may or may not be contained within it.
It's important to not assume that the FBI are being malicious in what they've put in this brief, but it's equally important to verify what is being said. The FBI are not the most open organization in the world, and it would be erronious to assume that a court filing will be any more open than anything else they publish.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Yeah, if he new they installed the logger. The kicker in this situation was they installed it with out his knowledge....
I want my rights back. I was actually using them when our government stole them after 9/11.
Just use the windows character generator. When you need to enter a password, click it into the windows character generator and copy the resulting string and paste it later. No keyboard interface is ever required.
Of course, then you're vulnerable to those things which remotely view monitors (Van-eckman scanners?). But I suppose if you're really paranoid about something like this, you would actually search for a keyboard logger first and put 3 other monitors nearby to create interference. So I guess it's all academic.
-Ted
Assuming that the version of PGP that was in use was one of the "source available" versions, why didn't the FBI simply alter the passphrase dialog code to store a plaintext version of the passphrase someplace on disk? All they'd need to do is re-install that portion of the application, and hope that the "bad guy" didn't do regular PGP sig/checksum comparisons against his installed programs (and how many of us do that?)
-Eldurbarn
Attack: Insert a logger in between the computer and the device that reads cards/fingerprint etc.
Interface between computer and something thought to be personally secure (the person, or a smart key he carries, etc) must be resistant to MITM and logging attacks.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Still, if the FBI really went to that much trouble to do keylogging software that doesn't capture when the com ports are active, I have to admire their dedication to the letter of the law.
I'm a nature photographer.
It's impossible. Every concievable identification device must interface with the computer at some point, and be exposed to the user at another. Any method of input is vulnerable to a sufficiently motivated and wealthy advisary (eg the US/Russian/Chinese government, Microsoft, the Catholic church, or whoever). The point to remember is physical access to the hardware trumps any computer security measures.
If you want to be really paranoid, check your computer every few days. Look for dongles or adapters you don't remember putting on. Use keyboard cables without ferrites, they could be replaced with a keylogger. Epoxy over the heads of your keyboard screws. Look inside the computer case, see if anything has been added or moved. Then, if you find a key logger, fill up it's entire memory with "h4h4! j00 5ux0r!!" ^_^
0 1 - just my two bits
My computer is permanently commected to the internet or 'communicating' by the means of a netword-card. i think the difference in function between a modem and a network card is tuite small. so sollowing the line of thought: is my network card is functioning, it's not allowed to grab keys :)
sim-ple.
Privacy is terrorism.