Slashdot Mirror
FBI Files Brief on Scarfo Keylogger
Firewort writes: "In an affidavit (warning, it's a PDF) filed with a federal court in New Jersey, the FBI has disclosed some of the details of a controversial "key logger system" used to obtain the encryption password of a criminal suspect. They go into great detail describing PGP and the different methods they might have used to keystroke-log Scarfo to get his encryption key." Interesting, and more technically sophisticated than the basic keyloggers which grab keystrokes indiscriminately.
The key to fooling the keylogger is to use a blank password, of course.
FBI recruiters who are reading this: you know where you can contact me about that job offer.
It's important to note the fact that it doesn't log all keystrokes for 2 reasons:
1) It's impressive. Less keystrokes logged that could be potential passwords, the less manpower required to examine the logs.
2) It leaves potential exploits open for crypto software writers and users in order to trick keystroke loggers into passing them over without recording the activity.
On another note, Bruce Schneier has always reminded people that a secure system always includes at least 2 out of three things: Something you know (password), something you have (ATM card), or something you are (biometrics, fingerprint).
My point is that
Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password. Or, the person could just always keep the password key on a CD-ROM that they physically take with them and can destroy at a moment's notice.
I was under the impression that part of the reason that it didn't log everything was to keep from possibly recording communications (Which would need a different kind of court order, along the lines of a phone tap).
Why would this be strange? Most agents know pretty well what they can, and cannot get away with. The FBI, given some of the problems of the past, is doing what they can to NOT lose a case over a technicality. So creating a tool that allows them to capture only the information they have a court order for is an excellent idea from the FBI. If they got everything, found some new evidence from that illegally acquired information, it would probably get tossed out of court, along with the case (fruit of a poisoned tree).
A law enforcement agency, creating a tool that is designed to operate within a limited court order - shouldn't we be at least somewhat positive of this?
"But we decide which is right, and which is an illusion"
The affidavit says that Scarfo used a Windows OS.
Coupled with the DOJ ruling, it just goes to prove that M$ Windows is an operating system written for criminals by criminals.
Five or six thousand people died in the attacks on the World Trade Center and the Pentagon. It is a horrid tragedy and I would never try to minimize it, but it pales to the number of people who have died defending democracy. In three of these defining wars, as tabulated below, there were over 350,000 deaths.
This only includes those killed in action or dead from wounds and doesn't include prisoners of war. It seems tremendously disrespectful to those who died creating or defending this country to relenquish our rights, rights earned through their deaths, so easily.
There are also 40,000 deaths per year in the US, not through terrorism, but through automobile accidents. Would you also suggest that for safeties sake we ban the automobile?
Chris Kuivenhoven is a thief, beware
Brute forcing depends on key length. If you are willing to spend, say, 1 billion on it, a PGP special purpose RSA breaker (or ElGamal breaker), that takes, say a day to break a 512bit key, could be feasible (the numbers are just a very rough guess, but I think not so unrealistic).
I doubt very much that they can break 2048 bit at the moment and I think 4096 bit is secure until some serious mathematical breakthroughs (which cannot be predicted).
The NSA could have such a device for emergency purposes.
Cheaper would be an attack on the passphrase. Most people don't have so much entrophy in their passphrase. E.g. I have only about 65 bits. Of course for this you need the secret keyring, a ciphertext sample will not be enough.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
P.S.: I think part of these "we (could) have broken" statements are also a smokescreen that is intended to make people not bother with encryption, because "they can break it anyway".
Would not be the first diversion with that purpose: If you cannot defeat it, undermine its credibility.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
nds09813-050-- -- the prison identification number of Scarfo''s father.
HIV Crosses Species Barrier... into Muppets
When I read this headline, I thought, Scarfo is a pretty sensible name for a keystroke logger.
Perhaps what's needed is a USB dongle, with an external switch that fries the flash RAM inside, rendering it unusable, and unreadable even to people trained in data recovery.
Well, there's the Dallas Semiconductor iButton. It includes tamper-resistant features that will zero its RAM under certain conditions (e.g. over-temperature), although it doesn't have an actual "erase" switch.
Just use the windows character generator. When you need to enter a password, click it into the windows character generator and copy the resulting string and paste it later. No keyboard interface is ever required.
Of course, then you're vulnerable to those things which remotely view monitors (Van-eckman scanners?). But I suppose if you're really paranoid about something like this, you would actually search for a keyboard logger first and put 3 other monitors nearby to create interference. So I guess it's all academic.
-Ted