Slashdot Mirror
FBI Files Brief on Scarfo Keylogger
Firewort writes: "In an affidavit (warning, it's a PDF) filed with a federal court in New Jersey, the FBI has disclosed some of the details of a controversial "key logger system" used to obtain the encryption password of a criminal suspect. They go into great detail describing PGP and the different methods they might have used to keystroke-log Scarfo to get his encryption key." Interesting, and more technically sophisticated than the basic keyloggers which grab keystrokes indiscriminately.
As long as they have a warrant I think this should be legal for them to do. In a few years it will be obsolete since we'll have bio-interfaces to our computers. Lets see them tap into that without us knowing!
I suspect it's only a matter of time before motherboards come equiped with a "blackbox" type of thing, similar to a flight data recorder. They could store, say, the last 10,000 keystrokes on any keyboard. Does such a thing exist?
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Speaking of "if you are important enough" and "all is takes is application of resources", I was recently reading through some of the briefs in the US v. Scarfo case. It sounded to me like the FBI got frustrated with his use of PGP and went with the keylogger approach. I was under the impression that the government had the resources to actually break some of the encryption schemes that are lawfully available in the US. It takes them time and a lot of computer horsepower, but I thought they could do it. It seems that the FBI didn't want to have to use all these resources in the Scarfo case and take the time to do it that way, so they used a logger. The material I was reading came from www.epic.org. It was interesting.
The key to fooling the keylogger is to use a blank password, of course.
FBI recruiters who are reading this: you know where you can contact me about that job offer.
It's important to note the fact that it doesn't log all keystrokes for 2 reasons:
1) It's impressive. Less keystrokes logged that could be potential passwords, the less manpower required to examine the logs.
2) It leaves potential exploits open for crypto software writers and users in order to trick keystroke loggers into passing them over without recording the activity.
On another note, Bruce Schneier has always reminded people that a secure system always includes at least 2 out of three things: Something you know (password), something you have (ATM card), or something you are (biometrics, fingerprint).
My point is that
Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password. Or, the person could just always keep the password key on a CD-ROM that they physically take with them and can destroy at a moment's notice.
that the FBI was so concerned about not capturing anything but the passphrase for the PGP key? Call me a sceptic but I'd say that the affidavit merely states this to either make it seem like they really know what they are doing, or to appease whatever restrictions the warrant for their entry to the premises and 'bugging' of the computer allowed.
I would seriously doubt that if this 'device' was capable to record every keystroke as they claim, that if they had the opportunity to sift through Scarfo's (outgoing) email/online banking/Adult-Check/etc. they wouldn't.
I was under the impression that part of the reason that it didn't log everything was to keep from possibly recording communications (Which would need a different kind of court order, along the lines of a phone tap).
Anybody out there know what it was? The affidavit implies that it was put into court records at some point in time (at least the output of the KLS was). Just curious, thinking its something like NickyS or BaddaBing.
Even if a keystroke logger recorded every single keystroke... if you were to copy and paste a password, say you put it in a text file on a floppy on a different computer.... wouldn't this render the keystroke logger useless? It would have to also record the contents of the "clipboard", no?
"Would it kill you to put down the toilet seat?" -- Maya Angelou
The affidavit says that Scarfo used a Windows OS.
Coupled with the DOJ ruling, it just goes to prove that M$ Windows is an operating system written for criminals by criminals.
Five or six thousand people died in the attacks on the World Trade Center and the Pentagon. It is a horrid tragedy and I would never try to minimize it, but it pales to the number of people who have died defending democracy. In three of these defining wars, as tabulated below, there were over 350,000 deaths.
This only includes those killed in action or dead from wounds and doesn't include prisoners of war. It seems tremendously disrespectful to those who died creating or defending this country to relenquish our rights, rights earned through their deaths, so easily.
There are also 40,000 deaths per year in the US, not through terrorism, but through automobile accidents. Would you also suggest that for safeties sake we ban the automobile?
Chris Kuivenhoven is a thief, beware
Wonder what they'd use as their carefully-crafted excuse to get around the ECPA if he'd had broadband?
Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password.
This wouldn't stop the FBI. They could obviously take his fingerprint and probably make some kind of cast based on that to replicate it. A swipe card could be subpoenaed in court too.
I certainly wouldn't want to retrieve it after that disposal method.
Maybe put a barcode on rice paper, then. *shrug*
Only the dead have seen the end of war.
When I read this headline, I thought, Scarfo is a pretty sensible name for a keystroke logger.
Yeah, but does that really destroy the CD beyond hope of recovery? I'm not up on CD Recovery technology.
Perhaps what's needed is a USB dongle, with an external switch that fries the flash RAM inside, rendering it unusable, and unreadable even to people trained in data recovery. Then again, if you have one, you obviously have something to hide, so expect the government to make them illegal soon.
Couldn't you have your serial keyboard plugged in, then
when you go to use your pc, go to another room, take out your
nice USB keyboard, then plug that in and use that instead?
Wouldn't it be funny seeing the feds puzzled faces - you've been
sending all sorts of PGP'd email in the last month, and all thier logger has registered is "haha MOFO's!!!!" - LOL!!!!
THIS is an interesting little statement. It says nothing about what they DID use, merely what they COULD have used. And since it's probably not an exhaustive list, the actual method(s) used may or may not be contained within it.
It's important to not assume that the FBI are being malicious in what they've put in this brief, but it's equally important to verify what is being said. The FBI are not the most open organization in the world, and it would be erronious to assume that a court filing will be any more open than anything else they publish.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Perhaps what's needed is a USB dongle, with an external switch that fries the flash RAM inside, rendering it unusable, and unreadable even to people trained in data recovery.
Well, there's the Dallas Semiconductor iButton. It includes tamper-resistant features that will zero its RAM under certain conditions (e.g. over-temperature), although it doesn't have an actual "erase" switch.
What, me worry? Nahhh!
Friends don't help friends install M$ junk.
Just use the windows character generator. When you need to enter a password, click it into the windows character generator and copy the resulting string and paste it later. No keyboard interface is ever required.
Of course, then you're vulnerable to those things which remotely view monitors (Van-eckman scanners?). But I suppose if you're really paranoid about something like this, you would actually search for a keyboard logger first and put 3 other monitors nearby to create interference. So I guess it's all academic.
-Ted
Does this make sense?
Not especially. They're just exploiting a legal technicality. They aren't allowed to intercept private communications, so they argue that a deactivated modem means no communicating is going on.
Assuming that the version of PGP that was in use was one of the "source available" versions, why didn't the FBI simply alter the passphrase dialog code to store a plaintext version of the passphrase someplace on disk? All they'd need to do is re-install that portion of the application, and hope that the "bad guy" didn't do regular PGP sig/checksum comparisons against his installed programs (and how many of us do that?)
-Eldurbarn
Did anyone read that whole thing? It seems that the FBI had a keystroke logger that only came on when the modem was off, with the belief, I assume, that the computer isn't a communication device unless the modem is on.
So then the wiretap laws wouldn't apply when the modem is off? Is my interpretation correct?
Strange loophole..
Attack: Insert a logger in between the computer and the device that reads cards/fingerprint etc.
Interface between computer and something thought to be personally secure (the person, or a smart key he carries, etc) must be resistant to MITM and logging attacks.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
No.
DMCA doesn't prohibit circumventing encryption, in general. It prohibits it under very specific cases. Short things like passwords are not copyrightable, so decrypting them isn't covered by DMCA.
Furthermore, even if the conditions of DMCA applied to this act of circumvention (which they don't), it doesn't matter anyway. Because DMCA specifically exempts Law Enforcement.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
OK,
- B
http://www.bradheintz.com/
- updated
something like this?
http://www.ealaddin.com/etoken/pro/
although it doesn't have the self-destruct switch =) but the point of having strong encryption is that even if the dongle was stolen, it wouldn't be worth the computational effort to extract the info, right?
It's impossible. Every concievable identification device must interface with the computer at some point, and be exposed to the user at another. Any method of input is vulnerable to a sufficiently motivated and wealthy advisary (eg the US/Russian/Chinese government, Microsoft, the Catholic church, or whoever). The point to remember is physical access to the hardware trumps any computer security measures.
If you want to be really paranoid, check your computer every few days. Look for dongles or adapters you don't remember putting on. Use keyboard cables without ferrites, they could be replaced with a keylogger. Epoxy over the heads of your keyboard screws. Look inside the computer case, see if anything has been added or moved. Then, if you find a key logger, fill up it's entire memory with "h4h4! j00 5ux0r!!" ^_^
0 1 - just my two bits
Obviously, this would have to have at least some software, even though if it's a hardware keylogger, because the document implies that it's context-sensitive (doesn't capture keystrokes that get sent out over the modem.)
Also, the obivous question: how did they install the keylogger in the firsrt place?
Any conspiracy theorists wanna bet that Microsoft has had such backdoors (eg, blank areas in KERNEL32.EXE or the like where the FBI, etc could covertly upload arbitrary code, if triggered by say, inserting a floppy with the right code in the bootsector, etc?
There's 10 types of people in this world, those who understand binary and those who don't.
There are also 40,000 deaths per year in the US cdc.gov], not through terrorism, but through automobile accidents. Would you also suggest that for safeties sake we ban the automobile?
About 2.4-million Americans die each year of other various causes. Aging should be banned as well.
If you want to be REAL paranoid...
.25 inch steel plate. Add ventilation holes. Put the computer inside, maybe with a UPS as well. Run cables out of it via romex sheathing to power and monitor, and weld the romex to the box. DO NOT hook up any printer or modem - or if you do, place it in the box with the computer.
Build a large steel cabinet, using
Create a wireless IR keyboard interface, with one of those mini keyboards - plus possibly custom software drivers and/or hardware interfaces for it. Provide a hole so that the IR x/r unit can "see" out of the box to the keyboard.
Lock the box up in some manner - tack welding might be preferable. Add a power switch to the outside of the box, maybe a few status LEDs.
Take the keyboard with you whenever you are not with the machine. Perhaps sleep with it under your pillow, or put it in a safe under your bed or something. Follow the rule about using epoxy on the screws. Maybe put seals over the welds, or take pictures of the welds to compare with every now and then (say once a week). You might even want to place the monitor in a copper wire mesh bag or Faraday cage, propely sealed and grounded for stray RF emmisions. Maybe not even provide a modem, only a floppy drive of some sort - and do all decryption of that secured machine. Won't stop "them" from tracking who/when you comm with other parties (ie, traffic analysis), but will keep them from logging you.
If you are truely needing this, you will see that what I suggest is actually worthwhile...
Reason is the Path to God - Anon
My computer is permanently commected to the internet or 'communicating' by the means of a netword-card. i think the difference in function between a modem and a network card is tuite small. so sollowing the line of thought: is my network card is functioning, it's not allowed to grab keys :)
sim-ple.
Privacy is terrorism.
Why not? Simple. If word got out that the US government could break PGP, everyone who cared about securing their communications from the US government would switch to something else. Governments take extraordinary measures to protect outside knowledge of their cypher-breaking capabilities. Go read some books about Enigma (or, if you want the story with a bowlful of Claire Danes, wait for the upcoming movie :) ).
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
From the java ibutton web page:
Specific intrusions that result in zeroization include:
Combine that with a firewall they say is running on it, the fact that it has an unalterable clock, and that it has a unique serial number, both engraved on the outside and burned into ROM, this comes about as close to Fort Knox for data as you're going to find this side of classified.
Of course, it does run java, and it would be possible, if you didn't properly secure it, to load arbitrary java code on it and use that to do whatever you (or those whom you want to protect your data from) wanted to do.
The truth about Scientology, Xenu, and you: Operation Clambake
EXACTLY. I won't feel safe until I get one of those palm/cellphone combinations and it's running WinCE that can be replaced with Linux. Of course, it's all for naught if my friends don't use encryption, too.
It used to be great, 95% of my email to my friends stayed within the same BOX for years. We would all SSH in and use GnuPG only when we wanted lasting security. Now my friends are losers and pop their email into Outlook. Now *they're* whining to me that I can't keep up with *them* and get OpenSSL to sign/encrypt email to them in Outlook. Now I feel like I can't talk to them about *anything*!
AAARRRGGHHH!!
Intelligent Life on Earth
If you're using Windows, you can hold down [Alt] and type in the ASCII code on the numeric keypad, and get characters that way. I don't think this works in Linux. Another tactic for GUI users would be to pop up a virtual keyboard that sends the appropriate message to the active window when the buttons are clicked with the mouse. I suppose this could be made to work with console apps as well, esp. if it is in a console window. Or, just click away from the window and enter some gibberish in a text editor, click back and enter the next character of your password, click away, rinse, repeat.
If he encrypted files for his own use, he would be able to decrypt them. Maybe his messages were encrypted for multiple recipients, one of whom was himself.
Use cleartext that is part of the system such as text from the man page for the "ls" command. This is an example, but you'd want to pick a lengthy man page. Start and end in the middle of a word. Also, do two or three cut and pastes. One cut would be simple to break. Two or three, and now they are in trouble. becuase there is all kinds of variations on multiple cuts. Or to be really vicious, open a common image file in a text editor and cut and paste from that. There's some entropy!
Remember, You are unique...just like everyone else.