FBI Files Brief on Scarfo Keylogger

Firewort writes: "In an affidavit (warning, it's a PDF) filed with a federal court in New Jersey, the FBI has disclosed some of the details of a controversial "key logger system" used to obtain the encryption password of a criminal suspect. They go into great detail describing PGP and the different methods they might have used to keystroke-log Scarfo to get his encryption key." Interesting, and more technically sophisticated than the basic keyloggers which grab keystrokes indiscriminately.

warrant

[djtech]

As long as they have a warrant I think this should be legal for them to do. In a few years it will be obsolete since we'll have bio-interfaces to our computers. Lets see them tap into that without us knowing!

Bypassing the keylogger

[loosenut]

The key to fooling the keylogger is to use a blank password, of course.

FBI recruiters who are reading this: you know where you can contact me about that job offer.

Re:Bypassing the keylogger

[jeffy124]

actually, from the looks of the brief, there are a few ways to circumvent their device. To me, it appears the key (no pun intended) to thwarting this lies in that the logger is only active while the modem is active, meaning you have to be online in order to be have your keys logged.

Option #1
Some have suggested saving that phrase in a text file and then copy/paste from there would work, except that your passphrase is now in clear text on your hard disk. Any search warrant against your machine would find that file, and your private key becomes compromised.

Solution there is to open a text editor before going online, entering the passphrase there. go online. Get the mail and then copy/paste the passphrase, close text editor w/o saving.

Option #2
download the email off the mail server (ie, POP it off the server). Go offline. Enter passphrase and read message.

Likewise, dont write emails while online. Write and encrpyt first, then go online to send. The keylogger appears to be able to pick up your typing of the message if you're online as you write it. (this also saves you $$$ if your ISP is cheap enough to still be charging per hour rates!)

A simple keystroke logger can be elegant, too

[adx200]

It's important to note the fact that it doesn't log all keystrokes for 2 reasons:

1) It's impressive. Less keystrokes logged that could be potential passwords, the less manpower required to examine the logs.

2) It leaves potential exploits open for crypto software writers and users in order to trick keystroke loggers into passing them over without recording the activity.

On another note, Bruce Schneier has always reminded people that a secure system always includes at least 2 out of three things: Something you know (password), something you have (ATM card), or something you are (biometrics, fingerprint).

My point is that ...
Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password. Or, the person could just always keep the password key on a CD-ROM that they physically take with them and can destroy at a moment's notice.

Doesn't it seem strange

[Lawmeister]

that the FBI was so concerned about not capturing anything but the passphrase for the PGP key? Call me a sceptic but I'd say that the affidavit merely states this to either make it seem like they really know what they are doing, or to appease whatever restrictions the warrant for their entry to the premises and 'bugging' of the computer allowed.

I would seriously doubt that if this 'device' was capable to record every keystroke as they claim, that if they had the opportunity to sift through Scarfo's (outgoing) email/online banking/Adult-Check/etc. they wouldn't.

Re:Doesn't it seem strange

[Ravensfire]

Why would this be strange? Most agents know pretty well what they can, and cannot get away with. The FBI, given some of the problems of the past, is doing what they can to NOT lose a case over a technicality. So creating a tool that allows them to capture only the information they have a court order for is an excellent idea from the FBI. If they got everything, found some new evidence from that illegally acquired information, it would probably get tossed out of court, along with the case (fruit of a poisoned tree).

A law enforcement agency, creating a tool that is designed to operate within a limited court order - shouldn't we be at least somewhat positive of this?

Re:Doesn't it seem strange

[kevinank]

True, but that does not mean that they are not going to break the rules. The knowledge that they couldn't use the evidence would in no way deter them from collecting it.

Unlike your local PD, the FBI risks a lot more harm than possible benefit from such a strategy. All it would take is one whistleblower to make the whole thing blow up in their faces. I suspect that if the FBI says they are using those communication restraints it is because they are. Even the political damage, much less the criminal liability of lying to the courts, would be overwhelmingly more costly than losing this relatively unimportant case.

Re:A simple keystroke logger can be elegant, too

[billnapier]

I was under the impression that part of the reason that it didn't log everything was to keep from possibly recording communications (Which would need a different kind of court order, along the lines of a phone tap).

Scarfo's Password

[billnapier]

Anybody out there know what it was? The affidavit implies that it was put into court records at some point in time (at least the output of the KLS was). Just curious, thinking its something like NickyS or BaddaBing.

Re:Scarfo's Password

[morcheeba]

nds09813-050-- -- the prison identification number of Scarfo''s father.

Ctrl-V ?

[simetra]

Even if a keystroke logger recorded every single keystroke... if you were to copy and paste a password, say you put it in a text file on a floppy on a different computer.... wouldn't this render the keystroke logger useless? It would have to also record the contents of the "clipboard", no?

Re:Ctrl-V ?

[The+Dodger]

Yeah, but think about it.

Do you really want to leave your PGP passphrase lying around in a text file on your computer? :)

D.

...is for DOH!

Re:Ctrl-V ?

[4mn0t1337]

passphrase lying around in a text file

Yeah, but how many millions of phrases are on your computer? The one that is your passphrase doesn't have to be obvious. (ie, brute force attack with the entire contents of the drive should slow someone down.)

But, even better, you don't even have to leave the phrase laying about for longer than a few seconds. Just open up a web page, select the a few char of the password, and paste it to a temp file. Open up another page and copy another block of char and paste that to the file. Keep doing this until you have a complete password, copy it and close the file w/o saving.

Anything that is recording your input stream from the keyboard is just going to see you just web surfing a doing a lot of copy and paste.

Scarfo Used Windows

[macsforever2001]

The affidavit says that Scarfo used a Windows OS.

Coupled with the DOJ ruling, it just goes to prove that M$ Windows is an operating system written for criminals by criminals.

Re:Scarfo Used Windows

[Kallahar]

In further released papers, the FBI has siezed all Microsoft assets. The FBI was able to do this by citing the laws regarding "primary use by criminals" since most copies of windows are pirated, used by viruses, or used by people who are criminals (including unpaid parking tickets).

The new company, tentatively called GovernSoft, will be sold to the lowest bidder to pay for the costs of prosecuting the case, which could reach into untold billions of dollars.

Re:For a second there...

[eXtro]

I don't agree with that sentiment at all. The rights that we take for granted and which many people presently are ready to concede have been earned through the blood of our ancestors.

Five or six thousand people died in the attacks on the World Trade Center and the Pentagon. It is a horrid tragedy and I would never try to minimize it, but it pales to the number of people who have died defending democracy. In three of these defining wars, as tabulated below, there were over 350,000 deaths.

Revolutionary war: 4425
World War I: 53513
World War II: 292131
Total: 350069

This only includes those killed in action or dead from wounds and doesn't include prisoners of war. It seems tremendously disrespectful to those who died creating or defending this country to relenquish our rights, rights earned through their deaths, so easily.

There are also 40,000 deaths per year in the US, not through terrorism, but through automobile accidents. Would you also suggest that for safeties sake we ban the automobile?

Re:More keyboard logging

[gweihir]

Brute forcing depends on key length. If you are willing to spend, say, 1 billion on it, a PGP special purpose RSA breaker (or ElGamal breaker), that takes, say a day to break a 512bit key, could be feasible (the numbers are just a very rough guess, but I think not so unrealistic).

I doubt very much that they can break 2048 bit at the moment and I think 4096 bit is secure until some serious mathematical breakthroughs (which cannot be predicted).

The NSA could have such a device for emergency purposes.

Cheaper would be an attack on the passphrase. Most people don't have so much entrophy in their passphrase. E.g. I have only about 65 bits. Of course for this you need the secret keyring, a ciphertext sample will not be enough.

Re:A simple keystroke logger can be elegant, too

[macsforever2001]

Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password.

This wouldn't stop the FBI. They could obviously take his fingerprint and probably make some kind of cast based on that to replicate it. A swipe card could be subpoenaed in court too.

Re:More keyboard logging

[gweihir]

P.S.: I think part of these "we (could) have broken" statements are also a smokescreen that is intended to make people not bother with encryption, because "they can break it anyway".

Would not be the first diversion with that purpose: If you cannot defeat it, undermine its credibility.

scarfo keylogger

[trb]

When I read this headline, I thought, Scarfo is a pretty sensible name for a keystroke logger.

Fake "real" keyboard, then USB??? bwahahahar!

[NeoTron]

Couldn't you have your serial keyboard plugged in, then
when you go to use your pc, go to another room, take out your
nice USB keyboard, then plug that in and use that instead?

Wouldn't it be funny seeing the feds puzzled faces - you've been
sending all sorts of PGP'd email in the last month, and all thier logger has registered is "haha MOFO's!!!!" - LOL!!!!

Interesting.

[jd]

"They go into a lot of detail on the methods they could be using".

THIS is an interesting little statement. It says nothing about what they DID use, merely what they COULD have used. And since it's probably not an exhaustive list, the actual method(s) used may or may not be contained within it.

It's important to not assume that the FBI are being malicious in what they've put in this brief, but it's equally important to verify what is being said. The FBI are not the most open organization in the world, and it would be erronious to assume that a court filing will be any more open than anything else they publish.

Re:A simple keystroke logger can be elegant, too

[mmontour]

Perhaps what's needed is a USB dongle, with an external switch that fries the flash RAM inside, rendering it unusable, and unreadable even to people trained in data recovery.

Well, there's the Dallas Semiconductor iButton. It includes tamper-resistant features that will zero its RAM under certain conditions (e.g. over-temperature), although it doesn't have an actual "erase" switch.

Solution: Chargen

[Ted+V]

Just use the windows character generator. When you need to enter a password, click it into the windows character generator and copy the resulting string and paste it later. No keyboard interface is ever required.

Of course, then you're vulnerable to those things which remotely view monitors (Van-eckman scanners?). But I suppose if you're really paranoid about something like this, you would actually search for a keyboard logger first and put 3 other monitors nearby to create interference. So I guess it's all academic.

-Ted

A peril of open source

[eldurbarn]

Assuming that the version of PGP that was in use was one of the "source available" versions, why didn't the FBI simply alter the passphrase dialog code to store a plaintext version of the passphrase someplace on disk? All they'd need to do is re-install that portion of the application, and hope that the "bad guy" didn't do regular PGP sig/checksum comparisons against his installed programs (and how many of us do that?)

okay let me get this straight

[Dr.+Awktagon]

Did anyone read that whole thing? It seems that the FBI had a keystroke logger that only came on when the modem was off, with the belief, I assume, that the computer isn't a communication device unless the modem is on.

So then the wiretap laws wouldn't apply when the modem is off? Is my interpretation correct?

Strange loophole..

Re:A simple keystroke logger can be elegant, too

[Sloppy]

Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password.

Attack: Insert a logger in between the computer and the device that reads cards/fingerprint etc.

Interface between computer and something thought to be personally secure (the person, or a smart key he carries, etc) must be resistant to MITM and logging attacks.