Slashdot Mirror
FBI Files Brief on Scarfo Keylogger
Firewort writes: "In an affidavit (warning, it's a PDF) filed with a federal court in New Jersey, the FBI has disclosed some of the details of a controversial "key logger system" used to obtain the encryption password of a criminal suspect. They go into great detail describing PGP and the different methods they might have used to keystroke-log Scarfo to get his encryption key." Interesting, and more technically sophisticated than the basic keyloggers which grab keystrokes indiscriminately.
As long as they have a warrant I think this should be legal for them to do. In a few years it will be obsolete since we'll have bio-interfaces to our computers. Lets see them tap into that without us knowing!
I suspect it's only a matter of time before motherboards come equiped with a "blackbox" type of thing, similar to a flight data recorder. They could store, say, the last 10,000 keystrokes on any keyboard. Does such a thing exist?
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Speaking of "if you are important enough" and "all is takes is application of resources", I was recently reading through some of the briefs in the US v. Scarfo case. It sounded to me like the FBI got frustrated with his use of PGP and went with the keylogger approach. I was under the impression that the government had the resources to actually break some of the encryption schemes that are lawfully available in the US. It takes them time and a lot of computer horsepower, but I thought they could do it. It seems that the FBI didn't want to have to use all these resources in the Scarfo case and take the time to do it that way, so they used a logger. The material I was reading came from www.epic.org. It was interesting.
The key to fooling the keylogger is to use a blank password, of course.
FBI recruiters who are reading this: you know where you can contact me about that job offer.
It's important to note the fact that it doesn't log all keystrokes for 2 reasons:
1) It's impressive. Less keystrokes logged that could be potential passwords, the less manpower required to examine the logs.
2) It leaves potential exploits open for crypto software writers and users in order to trick keystroke loggers into passing them over without recording the activity.
On another note, Bruce Schneier has always reminded people that a secure system always includes at least 2 out of three things: Something you know (password), something you have (ATM card), or something you are (biometrics, fingerprint).
My point is that
Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password. Or, the person could just always keep the password key on a CD-ROM that they physically take with them and can destroy at a moment's notice.
ROOTKIT - Remote Objet Oriented Telecommunications Knowledge Intelligence Technology
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
that the FBI was so concerned about not capturing anything but the passphrase for the PGP key? Call me a sceptic but I'd say that the affidavit merely states this to either make it seem like they really know what they are doing, or to appease whatever restrictions the warrant for their entry to the premises and 'bugging' of the computer allowed.
I would seriously doubt that if this 'device' was capable to record every keystroke as they claim, that if they had the opportunity to sift through Scarfo's (outgoing) email/online banking/Adult-Check/etc. they wouldn't.
I was under the impression that part of the reason that it didn't log everything was to keep from possibly recording communications (Which would need a different kind of court order, along the lines of a phone tap).
It'd be a pain in the ass to destroy a CD-ROM "at a moment's notice"
Anybody out there know what it was? The affidavit implies that it was put into court records at some point in time (at least the output of the KLS was). Just curious, thinking its something like NickyS or BaddaBing.
Even if a keystroke logger recorded every single keystroke... if you were to copy and paste a password, say you put it in a text file on a floppy on a different computer.... wouldn't this render the keystroke logger useless? It would have to also record the contents of the "clipboard", no?
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Just grab the edges and bend til it breaks, I do it with failed CDRs all the time. Good stress reliever.
What, me worry?
Use a diskette and carry a magnet with you.
:)
$0.02 (CDN)
Because, you twit, then they'd know you were reading their encrypted material and would stop doing anything illegal.
The affidavit says that Scarfo used a Windows OS.
Coupled with the DOJ ruling, it just goes to prove that M$ Windows is an operating system written for criminals by criminals.
Five or six thousand people died in the attacks on the World Trade Center and the Pentagon. It is a horrid tragedy and I would never try to minimize it, but it pales to the number of people who have died defending democracy. In three of these defining wars, as tabulated below, there were over 350,000 deaths.
This only includes those killed in action or dead from wounds and doesn't include prisoners of war. It seems tremendously disrespectful to those who died creating or defending this country to relenquish our rights, rights earned through their deaths, so easily.
There are also 40,000 deaths per year in the US, not through terrorism, but through automobile accidents. Would you also suggest that for safeties sake we ban the automobile?
Chris Kuivenhoven is a thief, beware
Wonder what they'd use as their carefully-crafted excuse to get around the ECPA if he'd had broadband?
Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password.
This wouldn't stop the FBI. They could obviously take his fingerprint and probably make some kind of cast based on that to replicate it. A swipe card could be subpoenaed in court too.
I certainly wouldn't want to retrieve it after that disposal method.
Maybe put a barcode on rice paper, then. *shrug*
Only the dead have seen the end of war.
When I read this headline, I thought, Scarfo is a pretty sensible name for a keystroke logger.
Yeah, but does that really destroy the CD beyond hope of recovery? I'm not up on CD Recovery technology.
Perhaps what's needed is a USB dongle, with an external switch that fries the flash RAM inside, rendering it unusable, and unreadable even to people trained in data recovery. Then again, if you have one, you obviously have something to hide, so expect the government to make them illegal soon.
Couldn't you have your serial keyboard plugged in, then
when you go to use your pc, go to another room, take out your
nice USB keyboard, then plug that in and use that instead?
Wouldn't it be funny seeing the feds puzzled faces - you've been
sending all sorts of PGP'd email in the last month, and all thier logger has registered is "haha MOFO's!!!!" - LOL!!!!
My point is that ...
Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password.
That does not work, if the fingerprint reader/card reader is in the keyboard (or the logger logs it also). Same with biometrics.
But what about giving visual feedback in a very complicated, hard for software to analyze way that adds some blinding layer to the key, e.g. by XOR? Like giving the user a number to add to the current password position in a video? Then the password would never go unprotected through the input chain, and only the combination of input and output would yield the password. No complete protection, but a $200 Keylogger would not have a chance against this.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
"....and as the FBI replayed the tape recording of the crim...."
THIS is an interesting little statement. It says nothing about what they DID use, merely what they COULD have used. And since it's probably not an exhaustive list, the actual method(s) used may or may not be contained within it.
It's important to not assume that the FBI are being malicious in what they've put in this brief, but it's equally important to verify what is being said. The FBI are not the most open organization in the world, and it would be erronious to assume that a court filing will be any more open than anything else they publish.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I would think that it does, especially if its a CDR which its likely to be.
What, me worry?
Disk blanking with a magnet does not work, I tried. I could not even produce read errors with a fairly strong small magnet. And a static magnetic field only weakens the data on the disk, it does not erase it. With special equipment (for maybe 10.000 Euro) you can still read it in may cases.
To blank a disk reliably you have to have a changing magnetic field strong enough that the battery needed for this would probably be hard to carry. On the other hand, burning it is far more secure and can be done with a portable blowtorch the size of a lighter.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
Perhaps what's needed is a USB dongle, with an external switch that fries the flash RAM inside, rendering it unusable, and unreadable even to people trained in data recovery.
Well, there's the Dallas Semiconductor iButton. It includes tamper-resistant features that will zero its RAM under certain conditions (e.g. over-temperature), although it doesn't have an actual "erase" switch.
What, me worry? Nahhh!
Friends don't help friends install M$ junk.
Since the device(s) "wasn't supposed to" capture non-passphrase (probably through identifying the unique PGP pop up window) keys, if you for instance typed in the passphrase into an email's To: field then copied and pasted into the PGP window you wouldn't need to have it in plaintext somewhere on your computer or floppy (eck!)
It'd be a pain in the ass to destroy a CD-ROM "at a moment's notice"
Not if you carry a microwave oven everywhere you go. Try putting a CD in the microwave for 2 seconds. It gives it a nice faux antique look.
To ensure perfect aim, shoot first and call whatever you hit the target
Just use the windows character generator. When you need to enter a password, click it into the windows character generator and copy the resulting string and paste it later. No keyboard interface is ever required.
Of course, then you're vulnerable to those things which remotely view monitors (Van-eckman scanners?). But I suppose if you're really paranoid about something like this, you would actually search for a keyboard logger first and put 3 other monitors nearby to create interference. So I guess it's all academic.
-Ted
There are also 40,000 deaths per year in the US [cdc.gov], not through terrorism, but through automobile accidents. Would you also suggest that for safeties sake we ban the automobile?
That many? I have been using this argument in the last days to stress that it is not really about the number of deaths but the manner they occured in. But I had no idea that it is that many.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
Or you can always use a microwave. The effect of a microwave on a cd is quite spectacular. 5 seconds should be more than enough to destroy the disk.
Does this make sense?
Not especially. They're just exploiting a legal technicality. They aren't allowed to intercept private communications, so they argue that a deactivated modem means no communicating is going on.
Nice...I'm sure they'd never even THINK of checking barcodes for the pass, although they might find the barcode scanner to be an odd peripheral for the average home user...
do not read this line twice.
Assuming that the version of PGP that was in use was one of the "source available" versions, why didn't the FBI simply alter the passphrase dialog code to store a plaintext version of the passphrase someplace on disk? All they'd need to do is re-install that portion of the application, and hope that the "bad guy" didn't do regular PGP sig/checksum comparisons against his installed programs (and how many of us do that?)
-Eldurbarn
However, a keylogger in the PC would happily log the data, thinking it was typed on the keyboard.
I don't know the American law very much. But as far as I know it's illegal to circumvent encription after the DMCA, isn't it? Would it be possible to fight against this keylogger citing the DMCA?
The guy's essential point: "We designed the keylogger so that it wouldn't intercept anything which might be a 'communication,' for example by disabling it any time the modem was active. Therefore it cannot be considered an intercepted communication, so we are exempt from the provisions in the wiretap laws. Oh, and we only logged for 14 days, instead of the court-allowed 60 days, so we weren't invasive at all."
That's all well and good, but all they are doing is trying to prove the point that the wiretap laws don't apply in this case. They are understandably worried about this, I think, because internally they know damn well that this operation was functionally equivalent to a type of wiretap.
If Scarfo's lawyers are smart, they will hammer home a simple analogy to what went on: the Feds essentially monitored every keystroke entered into the computer over a two-week period, with the exception of those times when the modem was on. Substitute the words "desk lamp" for the word "modem" (not a perfect analogy, I know, because you don't normally communicate with a lamp, but still...) and it makes the point a little more clear.
The bottom line is that this keylogger constituted a standing, two-week long, continuous search of the guy's work on his computer. No different, really, than hiding an agent in the closet of his office to look over his shoulder as he typed. Put that way, it may be a lot harder to defend their actions before the Court.
[disclaimer] Scarfo may very well be a corrupt, guilty scumbag -- but I think bending the law in such a Machiavellian way is not the right way to go about it. [/disclaimer]
...are condemned to repeat it.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
The FBI only logs keystrokes while the modem was not active:
Why ? It make no sense to me. If Scarfo did the encryption/decryption while he was online the KeyLogger would be useless.
MOD THE CHILD UP!
It's circumventing a content protection method, so I don't see how this is much different than DeCSS.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Did anyone read that whole thing? It seems that the FBI had a keystroke logger that only came on when the modem was off, with the belief, I assume, that the computer isn't a communication device unless the modem is on.
So then the wiretap laws wouldn't apply when the modem is off? Is my interpretation correct?
Strange loophole..
I don't know why the FBI has made such a fuss over this. I purchased a hardware key logger from http://www.keyghost.com/ weeks ago. Why? Because if I ever had to perform a PGP passfrase audit this would be the only way to go.
I know this whole thread's OT, but I've been wondering about this for a while. Does anybody out there know where I can find stats on drinking and driving related deaths in the US?
I think that just that number alone may be higher, but I haven't seen any sources to back it up..
Feel the fear and do it anyway.
Attack: Insert a logger in between the computer and the device that reads cards/fingerprint etc.
Interface between computer and something thought to be personally secure (the person, or a smart key he carries, etc) must be resistant to MITM and logging attacks.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
What about turning your doorframe into a big electromagnet, like in Cryptonomicon? Would that be a big enough field?
OTOH, you'd have to sit the computer *well* back of the door unless you've got some sort of shielding in place, which would defeat the purpose..
Feel the fear and do it anyway.
what about a password that's not text? a friend of a friend, has a cuecat (with some minor modifications of course) ... but, he scans a moutain dew bottle as his password. it also adds a carraige return to the password for you :)
:)
after this, it's a heck of alot better than the cutting/pasting idea, or even the manually typing it in...
i wonder scanning a mountain dew bottle would hold up in court as an encryption methond, so it's DMCA friendly
Runnin' On Empty
OK,
- B
http://www.bradheintz.com/
- updated
>although they might find the barcode scanner to be an odd peripheral for the average home user...
:cue:cats
hmmm... maybe thats why I saved all thoses
We really need your help
http://www.gofundme.com/help-sherry
Right as I hit the submit button, it occurred to me that on most systems you can switch apps with a passphrase dialog box open, thus using an intermediary app to paste text isn't needed. ;)
(If there is no one to look over your shoulder (Van Eckman) then a intermediary app does let you check your cut'n'paste spelling...    
______
Once: you're a philosopher. Twice: a pervert.
In other words, when you buy a computer from Dell they will present your order to the FBI complete with your name and address (of course) asking what additional components they would like installed on your computer, probably using a web page similar to the one that lets you configure your computer.
Drop down menus that let the FBI say, "yes I'd like a keylogger", or "ooh, I'd like the built-in surveillance camera too!"
And then the computer is built and delivered to your door.
Is this truly the only Earth I can live on?
What is a key stroke reader, a device that is inserted between your keyboard and computer. You use the key stroke reader as a replay attack, replay their entered password. So just stick a finger print logger between the finger print scanner and the computer. Then used the captured and recorded digital handshake from the fingerprint scanner and the computer to replay a finger. A cdrom scanner could be configured in the same way.
Now how to be safer.
Use openbsd, with an encrypted filesystem and swap. Everytime the feds serve a search warrent. Sell your old computer, buy a new one keeping the hard drive. Use dd to copy over the hard drive information, destroy the old hard drive.
Other things you need to consider. The feds could install an video bug above your keyboard on the ceiling. Also the radiation eminating from your keyboard cable and monitor could be passively monitored and data recovered. I recomend using lap tops and conducting business from inside a limo using a wireless conection. Replace the limo if their is ever a possibility police involvement. If you are running a drugs/prostitution/gambling empire you should have more then enough money to make up for the extra expenses.
Ah even better... http://www-fars.nhtsa.dot.gov/
I was under the impression that the FBI used a hardware hack to capture the keystrokes - but according to the affidavit the KLS wouldn't capture while the modem was on (getting around some sort of wiretap regulation). So it would have to be software, right?
The affidavit does point out a tastey loophole: enter your passwords only when you're online.
something like this?
http://www.ealaddin.com/etoken/pro/
although it doesn't have the self-destruct switch =) but the point of having strong encryption is that even if the dongle was stolen, it wouldn't be worth the computational effort to extract the info, right?
Like you can stop them? I'd LOVE to see the legislation and/or resulting lawsuits on that one.
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
sweet! I have a couple cuecats lying around. Anybody have any software to turn a cuecat into a full on barcode scanner?
do not read this line twice.
couldn't they've just replaced the executable/DLL with a compromised version that emails the password to the feds? Duh! The feds should be _glad_ that the source is available!
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
It's impossible. Every concievable identification device must interface with the computer at some point, and be exposed to the user at another. Any method of input is vulnerable to a sufficiently motivated and wealthy advisary (eg the US/Russian/Chinese government, Microsoft, the Catholic church, or whoever). The point to remember is physical access to the hardware trumps any computer security measures.
If you want to be really paranoid, check your computer every few days. Look for dongles or adapters you don't remember putting on. Use keyboard cables without ferrites, they could be replaced with a keylogger. Epoxy over the heads of your keyboard screws. Look inside the computer case, see if anything has been added or moved. Then, if you find a key logger, fill up it's entire memory with "h4h4! j00 5ux0r!!" ^_^
0 1 - just my two bits
Okay, I'll bite. How exactly does this destroy a CD?
Wouldn't they only be able to read mail sent to him if they had his PGP passphrase? It's not illegal to receive incriminating letters, right? (If it is, I've got some mass mailing to do ;-)
My other car is first.
I look at this another way. How secure do you want to make your information? You should be able to use strong encryption for anything you like. That should help to protect your privacy.
When the FBI or police has enough evidence to get a search warrant, they then have the right to see the contents of your encrypted files. If they turn up anything related to the scope of the search warrant, then that should be used as evidence against you. Encryption is not to protect you from being convicted of crimes, it is to keep your information secure from outside parties reading it.
Brought to you by Team SPAM! where we believe: "Information in the noise!"
On another note, Bruce Schneier has always reminded people that a secure system always includes at least 2 out of three things: Something you know (password), something you have (ATM card), or something you are (biometrics, fingerprint).
I've always wondered about the logic behind this. All you're trying to prove is identity, right? If you can indentify me biometrically, you don't need a stinkin password, or god forbid a one-time pin card.
I believe a bank was beta testing ATM machines which used iris recognition. You didn't even need an ATM card, just put your eye to the machine. I was impressed by their insite...shrugging of the old school mentality.
Kind thoughts do not change the world
On cheap CD-R media, this will rip off a layer of paint and the metal substrate beneath.
This happened with a commercially manufactured CD I had in a plastic CD sleeve in my car. When I took it out of the sleeve, most of the aliminum substrate ripped off. That disk is now the most expensive coaster in my home.
The affidavit was extreemely vague, but a close reading reveals details most posts seem to get wrong.
The FBI had a search warrant. Based on this they installed two or more "components" in someone's computer. The court records contain data from two "components".
The first component was key logger which recorded every thing he did. It had one odd property though. It turned off while the modem was active. This is a technicality to try to avoid needing to satisfy the much higher legal requirements for a wiretap.
The second component was much more specific. This component captured the password and related data directly from the encryption program, not from the keyboard. Password entry through copy/paste, disk, and/or mouse entry would not get around this.
The affidavit is very careful not to say if the components are hardward or software. IMO the second component has to be software.
I think the real issue is that the purpose of a search warrant is to SEARCH. It does not/should not allow installing things in/on your propery, and it does not/should not allow you to be recorded. IMO it's the same as the FBI installing video cameras all over your house based on a search warrant. It's ok though, because the cameras turn off when you're on the phone. (groan)
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Obviously, this would have to have at least some software, even though if it's a hardware keylogger, because the document implies that it's context-sensitive (doesn't capture keystrokes that get sent out over the modem.)
Also, the obivous question: how did they install the keylogger in the firsrt place?
Any conspiracy theorists wanna bet that Microsoft has had such backdoors (eg, blank areas in KERNEL32.EXE or the like where the FBI, etc could covertly upload arbitrary code, if triggered by say, inserting a floppy with the right code in the bootsector, etc?
There's 10 types of people in this world, those who understand binary and those who don't.
Depends. I think for a doorframe that deletes floppy disks you should get a superconducting inductor to keep the cost down.
And it would be dangrous with anyting magnetic in your body or around, see e.g. this item of the Risks Digest for what can happen.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
There are also 40,000 deaths per year in the US cdc.gov], not through terrorism, but through automobile accidents. Would you also suggest that for safeties sake we ban the automobile?
About 2.4-million Americans die each year of other various causes. Aging should be banned as well.
they crash my computer, that damn integration with IE.
also-- im boycotting adobe still, becuase of the Russian.
________________________________________________
Until recently I had thought the hardware approach more likely. It's easy to install a bug in the keyboard cable, and such devices already exist on the market.
But one passage in this affidavit caught my attention:
A hardware device would have been easy to install even if the computer wasn't "operative" (as long as it was actually there). This strongly suggests that the logger consisted either of software modules hacked into Windows, or possibly a hack to the BIOS firmware.
The software/firmware approach does have the advantage of being less easily detected by a naive user. The average Windows user wouldn't have a clue as to how to look for cleverly hacked DLLs or system programs.
Still, once the threat is known the countermeasures are pretty obvious:
Use an open-source operating system that can easily be rebuilt from trusted sources
Use Tripwire to detect modifications to system programs
Improve physical security. Use a laptop and keep it in a safe when not in use. Use IR motion detectors, to quietly log any intrustions in the vicinity of the safe and/or computer.
Anybody have any other ideas?
If you want to be REAL paranoid...
.25 inch steel plate. Add ventilation holes. Put the computer inside, maybe with a UPS as well. Run cables out of it via romex sheathing to power and monitor, and weld the romex to the box. DO NOT hook up any printer or modem - or if you do, place it in the box with the computer.
Build a large steel cabinet, using
Create a wireless IR keyboard interface, with one of those mini keyboards - plus possibly custom software drivers and/or hardware interfaces for it. Provide a hole so that the IR x/r unit can "see" out of the box to the keyboard.
Lock the box up in some manner - tack welding might be preferable. Add a power switch to the outside of the box, maybe a few status LEDs.
Take the keyboard with you whenever you are not with the machine. Perhaps sleep with it under your pillow, or put it in a safe under your bed or something. Follow the rule about using epoxy on the screws. Maybe put seals over the welds, or take pictures of the welds to compare with every now and then (say once a week). You might even want to place the monitor in a copper wire mesh bag or Faraday cage, propely sealed and grounded for stray RF emmisions. Maybe not even provide a modem, only a floppy drive of some sort - and do all decryption of that secured machine. Won't stop "them" from tracking who/when you comm with other parties (ie, traffic analysis), but will keep them from logging you.
If you are truely needing this, you will see that what I suggest is actually worthwhile...
Reason is the Path to God - Anon
A glove would disrupt the heat mind you..
-
ping -f 255.255.255.255 # if only
This seems like a dubious argument. There are plenty of applications (especially email clients) that allow you to do things off-line. If someone was capturing my keystrokes, they could potentially have a record of me writing a batch of emails just before I dialed in and sent them out. Is that significantly different from "intercepting private communications?"
Well, obviously, the FBI is doing some creative sneaking around the law to avoid intercepting electronic communication. Great, clever work. But, what we can infer from this is that the FBI or the NSA does not have a very good grip on PGP. If the government had PGP cracked, there would be no necessity for a key logger.
> Interesting, and more technically sophisticated
// Keydown
> than the basic keyloggers which grab keystrokes
> indiscriminately.
If (PGP == RUNNING)
{
for (k = 0; k 256; k++)
{
if GetAsynchKeyState = -32767
log(key, time);
}
}
How sophisticated is that? Lame...
_____________________________________
Do YOU have "Nagelsvamp"?
www.nagelsvamp.nu
My computer is permanently commected to the internet or 'communicating' by the means of a netword-card. i think the difference in function between a modem and a network card is tuite small. so sollowing the line of thought: is my network card is functioning, it's not allowed to grab keys :)
sim-ple.
Privacy is terrorism.
Its not liquid, fuck-nut. I've broken many CDRs and the shit doesn't run out.
What, me worry?
this whole thing is a bit off topic but I can't believe there were only 4425 deaths during the Revolutionary war. Maybe one day at Gettysburg...
Meanwhile you forgot Korea and Vietnam as well as Kuwait (which all, argueably, were in defense of democracy). Also your WWII total seems low (as I recall it was in the 1/2 million dead range)
Anyway, this would give:
I don't know the veracity of these numbers either, which is why I guess the Encyclopedia Britannica is still around.
Chris Kuivenhoven is a thief, beware
This seems like a dubious argument.
Indeed. The FBI is trying to use laws about telephones to defend their actions. After all, if you unplug your phone or don't pick up the receiver, you're not communicating, right? Let's hope that the judge and/or Scarfo's lawyer(s) see through the gaping hole in this analogy.
Why not? Simple. If word got out that the US government could break PGP, everyone who cared about securing their communications from the US government would switch to something else. Governments take extraordinary measures to protect outside knowledge of their cypher-breaking capabilities. Go read some books about Enigma (or, if you want the story with a bowlful of Claire Danes, wait for the upcoming movie :) ).
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
From the java ibutton web page:
Specific intrusions that result in zeroization include:
Combine that with a firewall they say is running on it, the fact that it has an unalterable clock, and that it has a unique serial number, both engraved on the outside and burned into ROM, this comes about as close to Fort Knox for data as you're going to find this side of classified.
Of course, it does run java, and it would be possible, if you didn't properly secure it, to load arbitrary java code on it and use that to do whatever you (or those whom you want to protect your data from) wanted to do.
The truth about Scientology, Xenu, and you: Operation Clambake
EXACTLY. I won't feel safe until I get one of those palm/cellphone combinations and it's running WinCE that can be replaced with Linux. Of course, it's all for naught if my friends don't use encryption, too.
It used to be great, 95% of my email to my friends stayed within the same BOX for years. We would all SSH in and use GnuPG only when we wanted lasting security. Now my friends are losers and pop their email into Outlook. Now *they're* whining to me that I can't keep up with *them* and get OpenSSL to sign/encrypt email to them in Outlook. Now I feel like I can't talk to them about *anything*!
AAARRRGGHHH!!
Intelligent Life on Earth
Our constitutional guarentees on unreasonable search and seizures, forced testamony, self incrimination, and court decisions like the Miranda decision indicate to me that I have the right to keep my information private from every outside party even the government.
In this case the FBI had, in my opinion, the equivalent of an illegal wire tap.
Strong encryption technology is under attack because it can provide privacy to criminals and terrorists as well as everyone else who desires privacy. In this modern world of street corner cameras and face recognition, and attempts to "outsource" illegal survaillance by getting from cooperative foreign governments we need, more than ever, to have our hard won freedoms defended by our elected officials, our law enforcement officers and our court system.
If you're not living on the edge, you're taking up too much space.
Y'know, if the FBI can get enough access to a room to plant something inside a keyboard, then they can probably also plant a tiny little IR sensor somewhere on the wall. If it's sensitive enough, then it'll just pick up the IR signals from the keyboard. Also, I suspect that with so heavy a unit, one could probably cut a hole in the bottom, and it'd be a long time before anybody noticed. Still, I agree with the general design philospophy. A few changes, and it'd be useful.
Try Dahle's CD-Rom shredder.
http://www.dahle.co.uk/product/new/20190.htm
If you're using Windows, you can hold down [Alt] and type in the ASCII code on the numeric keypad, and get characters that way. I don't think this works in Linux. Another tactic for GUI users would be to pop up a virtual keyboard that sends the appropriate message to the active window when the buttons are clicked with the mouse. I suppose this could be made to work with console apps as well, esp. if it is in a console window. Or, just click away from the window and enter some gibberish in a text editor, click back and enter the next character of your password, click away, rinse, repeat.
If they are not grabbing files/content then what are they using the key to un-encrypt?
Well, it used to be, anyway...
I use the Commonwealth Bank for some of my online banking, and in it's previous incarnation, their NetBank service used to have a _very_ secure login interface.
It would prompt you for your 8 digit NetBank ID code, and then for your variable length PIN. When the time came to enter your PIN, it popped up a keypad on the screen, disabled keyboard input and you had to click on the keypad with the mouse. In addition, the keypad moved to a random location between every click, so you couldn't even track screen coordinates...
All in all, very secure and very annoying.
They've now gone 'back' to using standard keyboard input and SSL security.
--kai
Specialist Mac support for creative pros, Melbourne
Use cleartext that is part of the system such as text from the man page for the "ls" command. This is an example, but you'd want to pick a lengthy man page. Start and end in the middle of a word. Also, do two or three cut and pastes. One cut would be simple to break. Two or three, and now they are in trouble. becuase there is all kinds of variations on multiple cuts. Or to be really vicious, open a common image file in a text editor and cut and paste from that. There's some entropy!
Remember, You are unique...just like everyone else.