Slashdot Mirror
Judge Upholds FBI Keyboard Sniffing
mshiltonj writes: "Wired is reporting that keyboard sniffing can be used to catch "mobsters." I feel safer already. You can read the ruling. Here's a snippet: "This case presents an interesting issue of first impression dealing with the ever-present tension between individual privacy and liberty rights and law enforcement's use of new and advanced technology to vigorously investigate criminal activity. It appears that no district court in the country has addressed a similar issue. Of course, the matter takes on added importance in light of recent events and potential national security implications." Translation: Don't deny us this tool or you'll be blamed for us not catching terrorists." See also an Infoworld article. We have several previous stories on the Scarfo case.
As long as law enforcement has to get a warrant, I don't really have a problem with this..
Those who are willing to sacrafice long term Freedom in exchange for the short term feeling of security will always ruin it for everyone.
Time to start using the movements of my eyes to signal changes on my computer
blink, blink, left, wink, blink, right, blink, squint
-Booyah
#include sig.h
I'm glad to see the courts upholding our rights to have unusual fetishes such as sniffing other people's keyboards.
If I remember correctly, J Edgar Hoover was the FBI's original keyboard sniffer.
I Heart Sorting Networks
so we know they can now break in and install a device as well as slip in a trojan.
what solutions are there? as for software, i've seen one site about free-ware antivirus, but it was linux only (like linux needs av software!). it would be nice if there was open-source AV for windows. any pointers?
as for hardware, other than having intimate knowledge of your own hardware (always checking your keyboard cable connection and keeping your chassis open for inspection), i can only think of sealed, tamper proof computer chassis.
https://www.accountkiller.com/removal-requested
I don't see anything wrong with the police searching, or spying on, someone if they first get a warrant.
Best Slashdot Co
looking, muscle bound, gold chain wearing, shiny suited tough guys buying laptops at Best Buy.
In my mind the real question isn't about the keystroke recorder, but the fact that the govt. let them essentially break-in and secretly install it. Yea yea, he's a "known criminal" in our innocent until proven guilty state, but this mean that they can use the same tactics on *anyone* not just criminals.
It definitely bothers me.
Moderation: Put your hand inside the puppet head!
What are you worried about? I doubt they were cluefull enough to make a Linux version of the sniffer. ;-)
-Pete
Soccer Goal Plans
i w o u l d n e v e r d o a n y t h i n g b a d a g a i n s t t h i s c o u n t r y. o u r g o v e r n m e n t a l w a y s m a k e s t h e r i g h t d e c i s i o n s.
"The only rights you have are the rights you are willing to fight for."
One of the more interesting things about the recent anthrax terrorism is the presence of anthrax on the first victim's keyboard.
The unfortunate victim died as a result of inhaled anthrax. Spores were found on both his keyboard and in his nasal lining.
Now, I ask, since most people touch their keyboards with their fingers (rather than their nose), how did the spores get from his nasal passage to his keyboard?
Is it possible the contamination went directly from his nasal passages to the keyboard? Could keyboard sniffing already be a widespread practice amongst people in the press?
It's certainly something to think about.
Save the whales. Feed the hungry. Free the mallocs.
separate wires and trunks and routers and networks, to be free. We need a geographically distributed Intranet that is incapable of connecting to the Internet, where the FBI can snoop using Magic Lantern or any other tool it wants.
The government wants to protect its corridors of free information and commerce instead of its borders, or territory. This redefinition of sovereignty is really a justification for imperialism.
If one accepts that logic, though, the only thing to do is to create a sovereign and inviolate internet, separated by an airwall from the Internet. Info between the two can be carried via disks that are rigorously scanned, if necessary.
I can't wait to see some secret cables being dug and laid by freedom-loving people.
Goat sex free since 2001
I'm sure others will notice this, but how exactly does the installation of the sniffer take place? Since there is no warrant, and only a court order, do the authorities have the legal backing to "break and enter" a computer to install the sniffer? Is a computer awarded the same rights as a physical place (i.e. apt, home, etc...)?.
Also, if the sniffer is sent as a trojan'd email or program, could this lead to entrapment defenses based on the enticement used in the delivery method?
"Moving through the masses like a fish through water." syrup
Here are some excellent step-by-step instructions on securing Linux, Solaris, and NT.
If they get a warrant first.
Best Slashdot Co
I've actually seen similar products for sale at $99 in consumer electronics catalogs as a way to catch your kids surfing porn.
While I have not (yet) seen equivalent products for USB on the market, sniffing USB is even easier than PS/2.
I do not deploy Linux. Ever.
I just know Bin Laden and his evil computer hacking cronies are pissed off about this. Way to go FBI!
Pshaw! Who needs to detect bombs in shoes when we got THIS. Al Quaida, we ownz joo, baby!
-------------------------------------------------
charlton heston is more of a man than yo
Who cares is the FBI smells my keyboard? It prolly just smells like sweat and doritos.
Of course, if you only used your laptop or portable/"belt-top" wearable systems, and kept it with you constantly, even sleeping with it, then all this might be a moot point.
*ahem* Not that I'm actually thinking about doing something like that, or would have any reason to do so, Mr. G-Man. Heh.
I looked into the abyss, and the abyss looked into me--and we both winked.
un-sniffable keyboards
sniffer detection systems
etc..
The real danger here lies in how wiretapping is shifting from being an activity you need to actively monitor via an external resource, and is becoming a self-contained object you drop into the suspect's house and fetch later. The latter you only need a court order. The former you need a full warrant.
Until a judge figures out that loggers and tappers are basically the same thing with two different methods of planting and unplanting, this ruling will stick, unfortunately. And once voice recorders are small enough to be plantable devices without any active collection needed (or video recorders, or combination video and audio and keystroke and data packet sniffer and so on) then little black boxes can sneak into anyone's home on thin suspicion.
Smart card readers (for your key), and voice dictation software. A keyboard logger can't work, if you don't user the keyboard.
When someone yells "Stop" or goes limp, or taps out, the fight is over.
The US has the concept of the citizen/soldier. Basically, the average citizen is required, when called, to provide for the common defense.
While police are not the military, they are still providing for that common defense. Why should anything be reserved to a government agency, and kep away from the people at alarge? Isn't this a government of the people, by the people, for the people? A lifetime membership oin the public beauraucracy [sorry for my spelling] is a frightening thing.
I'm starting to think the ancient Athenians had it right.
Public service there was should be involuntary, random , and short.
I am a former Military officer, so no need to tell me about military secrets and stuff like that. Far more of our offensive ability comes from our advanced manufacturing power than scientific advances on the US has. I've served my time, and have now returned to the (server) farm.
Open Source Identity Management: FreeIPA.org
contrary to /. belief. It specifically states that law enforcement needs a search warrant before searching your property or person. Now since they didn't have tcp/ip or telephones in those days it's up to the court system to update the meaning of our constitution as times and technology changes. That's how it has always worked. If you're a suspect and a search warrant is issued our law enforcement agencies have been able to search your property for the last few hundred years.
Do any of you actually do anything that would merit the FBI spying on you?
Blar.
Come on. There is absolutely nothing wrong with this. This is exactly how police surveillance should happen. A court order is still required. It is difficult to do on a large scale, at least when a physical key logger is used. It does not require people to use broken encryption. The problem starts when people are forbidden from verifying the integrity of their own computers.
bb
Hmmm, With the amout of hair and gunk that has managed to build up in my keyboard, i'd be afraid to smell it...
What is this, so new for of fettish?
;)
This ruling also will most likely apply the "Evidence in Plain View" rule to the Internet... meaning that if you are caught doing something illegal online (analogous to being stopped for speeding and a cop sees a bag of pot in your passenger seat), that evidence may also be used against you.
But we know no one here does bad things like that!
In case of fire, do not use elevator. Use water!
they probably won't shut down mobster - they'll just have a long string of court dates and then make them switch to a subscription model.
Here's the relavent part of the decision:
"Acting pursuant to federal search warrants, the F.B.I. on January 15, 1999, entered Scarfo and Paolercio's business office, Merchant Services of Essex County, to search for evidence of an illegal gambling and loansharking operation. During their search of Merchant Services, the F.B.I. came across a personal computer and attempted to access its various files. They were unable to gain entry to an encrypted file named ?Factors.?
Suspecting the ?Factors? file contained evidence of an illegal gambling and loansharking operation, the F.B.I. returned to the location and, pursuant to two search warrants, installed what is known as a ?Key Logger System? (?KLS?) on the computer and/or computer keyboard in order to decipher the passphrase to the encrypted file, thereby gaining entry to the file."
Note that the FBI has a warrent for the first entry, and returned with new warrents to install the KLS. I'm as paranoid as the next guy about government intrusion (hence my Libertynews.org website) but the FBI followed the rules here. And as detailed in previous articles they actually bent over backwards to make sure the KLS did not record any of his online keystrokes.
This is the kind of thing that civil libertarians should be applauding, proper use of warrents and use of technology to limit the scope of thier intrusion.
Remember Lexington Green!
Jesus... everyone is using terrorism to invade liberties and attack others. They've set up military tribunals, email/keyboard sniffing, hundreds of detnetions, racial profiling under this "terrorism" excuse. Even foreign countries are using it; China's calling Taiwan "terrorist," Russia says the Chechyns are "terrorists." It's absurd and ridiculus.
...that this will be at all effective? Think about this:
First off, how many people are NOT running Lookout Distress or similar Gatesian Bloatware for their E-mail? Those who fall into this category WILL see the 'Magic Lantern' worm as an unexecuted file attachment, one that is likely to be quickly deleted.
Second: How long is it going to take the computing community "At Large" to dissect how ML or any other keyboard logger works, and come up with a very effective countermeasure?
Third: How long will it take seasoned criminals to grab said countermeasure? The ones that are computer-savvy can download and install just as well as any techie.
This whole exercise seems to be little more than useless window dressing to me. It almost looks like a (somewhat desperate) attempt by the FBI to fool the public into thinking they're effectively fighting terrorists when they may not have the slightest hint of a clue.
I don't pretend to have all the answers, but I really don't see what good monitoring Lord only knows how many computer keyboards will do. And how is a typical consumer, who can barely find their system's power switch, going to know if they're being monitored?
Bruce Lane, KC7GR,
Blue Feather Technologies
In order to combat this, the FBI designed their keylogger to go innactive while the modem was connected. I still have some lingering questions about this. E-mail is asynchronous. With many e-mail services (Eudora, Outlook, and AOL), the underlying software lets you compose e-mail offline and store it to disk, automatically transferring it at a later date. Personally, I compose a lot of my e-mail when my computer is offline -- these days, I spend half my time on airplanes, it is when I get the most e-mail written, I sync when I land at the next destination.
Another worrisome trend is that the hearings were "ex parte in camera" -- meaning in the judges private chambers without the presence of defense attornies. The FBI claims the details must remain a secret for national security reasons. The defense attornies are only provided a sanitized summary of the keylogging features, not the full details. This is worrisome because it prevents the public from understanding the details of what is really going on. As we saw in the Carnivore case, the FBI was free to define its own boundaries. For example, when Carnivore grabs e-mail summaries, I would interpret the court order as allowing capture of only the SMTP "envelope" containing the TO/FROM addresses -- the FBI interprets this as capturing the full e-mail headers. I think this is a gross violation of civil liberties, but there is no way to challenge this. Likewise, the keylogger details may show similar gross violations of civil liberties, but the FBI hides behind its cloak of "national security".
The thing is, there are no important details to keylogging. You can go to http://www.keyghost.com for your own hardware-based keylogger, or you can download numerous keyloggers off the Internet. There are some difficult problems. For example, PGP 6.0 introduced a keyboard driver that intercepts your keystrokes: when you type your password, this driver routes them around Windows. Thus, while it appears that you are typing in a dialog box, this is only an illusion. Standard software keyloggers for Windows will not capture the passwords. (This is why PGP 6 doesn't work well with Win2k -- it doesn't have the power management features, so it prevents Win2k from going into "suspend/hibernate" mode).
Anyway, I'll be posting some more detailed analysis later this month on my personal website. In addition, I'm providing a $10,000 bounty for anybody PC containing an "interesting" keylogger -- maybe one from the mafia doing industrial espionage, maybe one from the FBI, I don't care. I'll be posting the full details to my website (http://www.robertgraham.com).
The department of education has been dissolved for failing to teach proper english, after it was leaked by the FBI that hundreds of thousands of US slashdot posters used both syntatic and grammatically incorrect English....
there are no stupid questions, but there are a lot of inquisitive idiots
Is there any software that allows you to firewall outgoing packets as well as incomming?
I'm definitely getting modded down for this (Moderators: use "Offtopic", please!) off topic post, but frankly I don't get your sig. Do you mean to tell me god has sacks? Does he weigh them out to 7.10 grams?
"What is the sound of one belly slapping?"
If you check the documents you will see that this case started under the Clinton administration. In fact, the last data was collected on May 23, 1999. God forbid that anyone think that the Democrats ever invade civil liberties. :-)
They just want all my pr0n passwords!
--- Do you believe in the day?
Just present the user with a table with all the printable characters in it, in random order each time.The user won't *type* his password, but select the appropriate characters in the appropriate order, clicking on them with the mouse.
As the position is random each time, you can't find the password clicked, even if you logged the mouse coordinates.
I emailed this idea to 2 projects creating graphic interfaces for gpg, but haven't heard from them.
Let me preface this by saying I don't really have much of a problem with keyboard sniffing in and of itself. It has it's uses can be an enlightening experience. What worries me is what is to come a year or so down the road. It won't stop with keyboard sniffing. No.
So, I put my foot down when it comes to mouse sniffing. Cute as they may be, the little buggers carry any number of diseases, both airborne and from the parasites they host.
Thank you.
From what I recall, at least one major antivirus software company commented that they would not include FBI Keyloggers or other such tools in the virus updates. So for the average user, there is no defense.
that I don't want the government brandishing.
Don't get me wrong, I'm not one of the types that thinks everytime the government makes a new law or whatever that it is a bad thing. I simply feel that privacy is one of our most sacred freedoms.
If the government taps me accidentally instead of their intended target, and they discover me doing something that violates a law in a minor way, they are going to pursue getting a warrant so that they can use the information legitimately next time it happens. Point is they didn't have the right to tap me in the first place.
Second point is this. If I get tapped by accident (net-criminal spoofed my IP/connection details) and a third party hacker (i'm simplifying this.. i know i'll catch heat for using hacker)intercepts the signal, he may learn of information that puts me, my career, or my life in danger.. information that would not have leaked had it not been for the government adding a hole to my system. I doubt the government would compensate me if I lost my job for leaking trusted information to the web.
I'm all for anything that aids our law-enforcement officials, as long as they are responsible and take ownership of the consequences.
Making it mandatory for the government to notify you that you are being snooped defeats the purpose of the monitoring in the first place. A more suitable method would be allow concerned individuals email or call to request whether or not they are being snooped. Then if they ARE snooping you, and they have reason, they can ask you to see a local court to discuss the matter without actually stating that they ARE monitoring you. That is one faster way of getting the criminals into court, if they are foolish enough. It also protects the innocent. Of course if the government is 'accidentally' snooping you, they will just tell you "no, we aren't monitoring you" because they think they are monitoring the person spoofing your connection.
A better solution is a time-passworded utility that you can install and call to request the current password. The utility would check your system for the trojan. If that is the case, I'm all for this course of action against cyber-crime.
-fc
.
. echo -e \\04 >
Point-and-click text entry for your passwords. Ever seen the Key Caps desk accessory on a Macintosh (or the Character Map on Windows)? Tie something like that into a graphical login display, and there you go. Logging mouseclicks is still a viable option, but how would the logger know that {x=260; y=580} was the letter F? It would need to hook into the software displaying the charac oh, look, now we can secure ourselves via the OS software, cant we?
Liberty in your lifetime
Won't be long before the makers of privacy tools will change their GUI front ends so that a keyboard is no longer used to authenticate. The simplest method would be to display a virtual keyboard and have the user mouse over to each character. It would be difficult, though not impossible, to construct a "mouse sniffer" that gathers enough data to reconstruct the password based on movement history. Defeating that would simply require randomly moving the virtual keyboard between each click. A bit of a pain, but if you really want to avoid the rubber hoses, you may have to do it.
The only problem after that is evading the "looking over your shoulder" that no-echo keyboard password prompts are so good at avoiding. Maybe a very low contrast virtual keyboard and cursor...
What do you mean they cut the power? How can they cut the power, man? They're animals!
Of course, the trick is not to plant the bug, the trick is to plant the bug in such a way that your intrusion is not discovered. I suspect that the brighter folks in the criminal world will be focussing on detecting such intrusions more than they will be focussing on preventing them.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
This guy is obviously a terrorist.
Can't someone just kill the process? Poof, no more keylogger.
B r o w s e t o a w e b p a g e w i t h l o t s o f w o r d s o n i t a n d t h e n c u t a n d p a s t e e a c h l e t t e r y o u n e e d.
Kind thoughts do not change the world
If the government taps me accidentally instead of their intended target, and they discover me doing something that violates a law in a minor way, they are going to pursue getting a warrant so that they can use the information legitimately next time it happens. Point is they didn't have the right to tap me in the first place.
Well, in that case, the charges they bring against you will be dropped (assuming your lawyer is decent) because of exactly what you said: they didn't have the right to tap you in the first place. Then you can sue them for your time.
~ now you know
Isn't some kind of bizare expectation of privacy principle at work here as well? That so many people are denying such a thing for all things internet is very disturbing and in sharp contrast to laws for now obsolete communications methods, phone and post. How the bastards decide that the government can look into my private communications without reason is much less important than the fact that they will do so. The fourth amendment is going away.
What's to keep them from putting cameras into your house? That have worked just as well to get the passwords.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Ima gonna git me somma that sniffer stuff and catch me a terrorist, what with the rewards they're offering. Never mind I'm not the FBI, all's fair in love and the war against Terrorism.
Look out neighbors, here I come.
How about an encrypted channel between the keyboard/mouse and the computer?
Ive heard a lot about the media mega-corps talking about encrypting the output of video and sound cards to prevent people from copying their digital content the old-fashioned way; if thats possible, wouldnt this also be?
Liberty in your lifetime
Keylogging is simple to get around. Just use character map to get all your crime organized. :)
Of course, there are plenty of organizations besides the government that may well become interested in keystroke monitoring. For instance, a company might well be worried about industrial espionage. If the government starts using keystroke capture programs, then it's only a matter of time before such software escapes into the private sector.
The interesting question then becomes, how does one counter the threat of this sort of attack? In other words, what protective measures can one take to ensure that even if someone were to gain physical access to your computer, they would be unable to successfully alter it to install a keystroke monitor.
I see at least two possible types of threat:
(1) Insertion of a physical hardware device into the computer or keyboard
(2) Insertion of monitoring software into the computer.
Protecting against the installation of physical hardware could probably be done with physical means -- for instance:
(a) tamper-evident seals placed across the screws holding the keyboard together, and also the case.
(b) A reed switch inside the computer case to power down the computer if the case is opened.
At least this way you would know if your computer had been physically tampered with.
There's always the issue of "magic-lantern" type software attacks. Let's assume for a moment that one can harden their computer against email and internet virus attacks. The issue here is that of someone breaking into your house, and altering your computer's software while sitting at your keyboard.
Protecting against a physical access attack would be more difficult, but I can think of at least one possible technology that might work.
There's a new product on the market -- USB keychains. These devices plug into a USB port, and emulate a small hard drive, ranging from some 16MB to 256MB.
Imagine loading such a USB flash drive with a boot partition, and a minimal root partition. The rest of the flash drive would be loaded with millions of bytes of cryptographic keys that would each encrypt a very small amount of data on the internal hard drive.
To toss in some numbers, the bootable partition in the flash drive need not be more than about 2MB in size, leaving at least 14MB available for cryptographic keys.
That would store around 3 million 40 bit keys, enough keys to provide a separate key for each 32KB of data in a 100GB system. That 32KB need not (and probably should not) be contiguous.
Under such a system, the entire contents of the internal hard drive would be completely encrypted. There would be no unencrypted boot block, or unencrypted directory structure. The hard drive would contain nothing but wall-to-wall encrypted data and would be unbootable. This would probably make it impossible to install keystroke monitoring software on such a computer without gaining access to it in a powered-up state.
In order to use such a system, you would start with the computer powered down. You would plug the USB drive on your keychain into the USB port in the front of your computer, and power up. The system would boot off of the USB drive. The system would ask for a startup passphrase, which would be used by a cryptographic HD device driver, in conjunction with the key data on the USB drive in order to allow access to the unencrypted contents of the computer's internal hard drive.
The purpose of the passphrase would be to prevent anyone from gaining access to the contents of your hard drive, even if they obtained your keyring.
The system would then boot like a ramdisk system, and finally overmount the USB disk root partition with the actual, encrypted root partition on the hard drive, using the cryptographic device driver, the passphrase, and the 14MB+ of cryptographic keys to access the hard drive.
When you were done using the computer, you would power it down, and remove the USB keychain. After all, you aren't leaving the house without your keys, are you? This leaves the hard drive 100% fully encrypted, and a properly designed 100% cryptographic filesystem utilizing 14MB+ of key data would be essentially unbreakable.
So what do you all think? Is this proposal workable? Does it protect against the installation of keystroke monitoring tools?
I've had submissions marked as accepted that then waited nearly 12 hours before being posted. Slashdot (generally) tries to spread out the submissions on the front page. That you were rejected so quickly probably means that they had already seen and accepted this guy's story but were waiting till after some of the other constitutional issues stories had had some time to be commented on.
I just donated $100... and you should too!
If you are even REMOTELY concerned about civil liberties, freedom of speech, or privacy you should dontate to the Electronic Frontier Foundation today:
http://www.eff.org/support/
Linux is, at best, a toy operating system. At worst it is the kind of subversive force in America that Stalin only dreamed of creating.
There are "cells" reporting to unknown leaders that only go by names like "L33t_Kernal_Hax0r" that cannot be located - after all, "living in my momma's basement cause I have no real world skills to speak of" is not a true street address.
There is the Marxist concept of "give what you can, take what you need." Only, none of these people can give anything, excepting the few heroes of the revolution that have their own roach filled apartments and must give blow jobs in parks monthly to meet their rent. Yet, they all feel the need to take, take, take. MP3s? "We must have them! It is about freedom for the artists!!" Software? "We must have it for free! It will be good then!!" Movies? "Yes, we must have them for free!!!" Of course, the dirty secret all of these "give it to me free!!!" people are trying to hide is that they have no resources to actually acquire anything legitimate, due to their pathetic skill set and the fact that society has no use for them.
Society, in fact, had no use for them even during their formative years. That's why their lunch money was stolen. Darwin's law was trying to assert itself, but overprotectively indulgent parenting prevented such a thing from happening.
I know I'll get modded down for saying this, but here goes:
I demand that you mod this post down![*]
(fucking ben fucking franklin and his fucking daylight fucking savings time!)
Even though I'm normally a bit on the paranoid side when it comes to privacy on the Internet, I really have no problem with keyboard sniffers, as long as they are targeted to suspected individual criminals. I think that it's perfectly OK for law enforcement officers to use almost any surveillance means whatsoever necessary to gain evidence provided that
1) they are targeted to a specific individual when there is other reason to believe that said individual has committed or is about to commit a specific crime (and not used as a wide net just to see if something illegal would happen to be going on)
2) the legal system (a judge) is kept aware of what is going on
3) complete records are kept of all police activity
4) if something illegal is found, it is used in prosecution immediately or dropped altogether (and not stored for future coercion etc. use)
5) if nothing illegal is found, the target of surveillance is informed that he has been under monitoring, possibly after a short period of time, the maximum length of which is fixed.
And after all, isn't it better that the feds use sniffers to bypass encryption in individual cases, rather that try to get legislation passed that would require an escrow system, weak encryption or anything else like that?
Whether surveilence is good or bad is totally dependant on how it is used. If the government keeps it to itself and only uses it to inforce just laws, than it is fine, regardless of the extremeness of the surveilence. You have nothing to fear unless you are doing something illegal. The problem arises when the government uses surveilence to enforce unjust, paternalistic laws (like those against marajuana), or lets third parties, like spammers, get their hands on the information it collects.
The only good reason for surveilence-phobia is that surveilence allows the government to enforce laws against "victimless crimes" (such laws are all unjust, in my opinion) that would otherwise be virtually impossible to enforce. Denying the government surveilence denies it the ability to enforce big-brotherish laws, but also weakens its ability to enforce good laws, like ones against murder. Civil rights advocates should be focusing on abolishing unjust laws that surveilence is used to enforce, not weakening law enforcement as a whole by stopping surveilence.
Repeal the DMCA!
And how exactly are they going to deal with all the serious criminals who use laptops and are never without them?
After reading the judges filing, I think that keylogger should be classified as a wire tap device. Therefore; you would need a wire-tap order to use it, and not a search and seizure.
I look at it this way: A search and seisure looks for something that exists at the time the warrant is acted upon. A wire tap is a method of obtaining information that does not exist 'right now' hoping that it might be useful eg. evidence gathering.
Now if they find the password on a piece of paper they seized, well then too bad.
make Linux, not Microsoft. sin(beast) = -0.809016994374947424102293417182819
So shut up, get back into your room and start listening your GWAR mp3s, you twit.
1 for whackin & 1 for hackin! lol
When he's bought his freedom.
Face it kids. The Government has been wanting to take what little rights we have away for a long time. Thanks to OBL and a american public that thinks it will never affect them they have it now. It's like a salesman that gets his foot in the door.
for years "Law enforcement" has been bitching that they need more powers to catch "bad guys" the fact is they are full of it! They have had more then enough power to stop everything that happened... But now they have a new weapon to bilk the american public out of even more rights. Now instead of the public houseing searchs of the late 80's leading to highway soberity check points. You now get to look forward to "Law enforcement" having the ablity to monitor every communication you have. Think I'm joking? Just wait. The world is full of Lemmins and the only thing you need to know about being a lemmin is to run when all the other lemmins run. The Gov knows that America is full of good little lemmins and they just love it when you run.
Yes Sept 11th was a terrible thing to happen.
But to throw out everything our veteran's of war have fought for ( me included ) is insane!
You can all pretend that the Bush administration has the support of the people but the fact is that there are citizens that are afraid to speak up about the way the Bush administration has handled and propagated the fear of the American people. Thanks to the idiots that think "My country right or wrong." and a mob mentality. Well Our country is wrong. Sept 11 is a far sadder day then most of you will ever know. We are losing alot right now. And no one person or group seems to be able to stop this nightmare domino affect.
Doesn't anyone think this never ending war is a little TOO much like the made up conflict in the movie 1984? I do! I would have died for my country in 1991. But now only one thing remains, distrust.
Last one in jail is a fascist.
Is there any reliable way to detect the characteristic activities of a keylogger? Rather than trusting a virus scanner, or trying to keep every possible back door fixed, I would like a utility that would look for suspicious activity indicative of such a key logging attack. I am assuming though that this would be relatively operating system dependent.
Beyond this, are there ways of making the operating system itself immune to keylogging? In windows this might be a custom keyboard driver. In Linux perhaps a kernel module.
No matter what you do they can always log at the hardware level (essentially bug your keyboard), but it'd be nice to make it as hard as possible for them.
-josh
There is a theoretical solution to this, using quantum diodes and open source software it is possible to create an untapable system. The quantum diodes would be part of an optical based keyboard. When any photons are prematurely observed, the whole thing errors out.
The nature of open source software would make it difficult to add flaws that couldn't be detected if wanted. In fact, the encription program could do MD5 sums on the kernel and all parts of the OS that grap keystrokes making that impossible too.
Other ways like a video grab of the keyboard, or biometrics on the individual typing could be done too. But I think the simplest way would be with a smart card that had a mini ATM keyboard on it. The user would keep it in his wallet at all times, and key in a pin before using it - too many guesses would permanently disable it.
... if you want to catch criminals, to make it safer for you to walk down the street, why not make a donation to your local police force?
I dunno what it's like in the US, but over here the police are always having to turn down requests from the public to enforce the law because they don't have enough money.
I say fuck the FBI,if I catch one of them little bitches on my system Ill take my rights to the limit and self-defend.Whos with me?I mean..do they think that THEIR HACKERS should have special rights?If I catch one and pinpoint his ass..Ill take it to court and sue the government,we need to start a movement..we need to get rid of the queer fucks..
WHO IS FUCKING WITH ME?DEFY THE FUCKING FEDERAL GOVERNMENT AND FRY THE FUCKING FEDERAL HACKERS!
"Fight The Power"
Get a laptop for your criminal activities, use pgp to crypt your files and NEVER connect to the internet. (We're just talking about business records) Sleep with the laptop under your pillow, take it everywhere you go, and if you suspect it's been compromised, sell it on EBay with a formatted hard drive and get a new laptop. These methods depend on thier physical or network access to your computer. If it's that important don't give them either chance.
Let's seem them sniff, or tap that.
Also, there is the extended issue of ethernet being a broadcast medium. Thus, there is the potential for intrusion on a system OTHER THAN the system targeted by the warrant. Could you get a search warrant authorizing the government to exploit a known security hole in Windows, for example, in order to gather evidence? At least with this keystroke recorder, you might realize something was going on by looking for files/apps you don't recognize.
I've been watching a lot of the Soprano's lately (2nd season on DVD - Excellent), and the only guy on the show who types at all is Christopher Maltani (sp?), and he is typing screenplays. And I don't believe anyone in the Godfather series typed on a computer at all. If the FBI think they'll catch mobsters, I think they're barking up the wrong tree.
>It is important for law enforcement to have the
>tools at their disposal to be able to properly
>investigate crime and gather evidence.
yes, but this is largely a procedural issue. THere *was* judicial oversight, and there definitely *will be* judicial oversight.
The question is as to the *form* the oversight should take. A very simple look over the shoulder, such a as a warrant, or the higher standard we use with a more intrusive wiretap. In *some* way there will be judicial approval. the question is how.
hawk
I wonder how many of you freedom fighters actually read the judges actual decision. Here are the real facts of the case, which you will find nowhere in the Wired article: The FBI went in with a warrant that very specifically defined what they could look for, including files on the computer, and specifically stated that they could install gadgets for the specific purpose of seeking an encryption password. If the feds have probable cause on you for comitting a crime then yes, they could very well throw one of these things on your computer and shake down your password, with a valid warrant expressly permitting that action. Big fucking deal. This seems totally valid to me, it isn't a wire tap and it sure doesn't look to me like the exercise of a general warrant, a judge sent them in with the tools to look for a specific piece of information that they had probable cause to believe would implicate criminal activity and they did so and no more. Read the decision. It is thoroughly and thoughtfully executed with a great deal of explanation and precedent supporting the judges decision. Scarfo's attornies' objections, on the other hand, look exactly like what they are: straw-grasping attempts to get damning evidence thrown out on technicalities of dubious merit. Get over it.
It Is the Nature of Information to Transgress Artificial Boundaries
I actually think the Scarfo case is a good thing. The logger was used in accordance with a court order, and the whole thing gives lie to the argument that we can't have readily available crypto because it makes the actual bad guys invulnerable to law enforcement.
-
Give me liberty or give me something of equal or lesser value from your glossy 32-page catalog.
while i am just as concerned about this as everyone else. the problem comes when the technologies and methods used are not disclosed
when the gov. starts using tech to spy on us but we arent even aware that they are even capable or when we quit getting info like this is when the
fbi is allowed to run rampant because, if they can tap what we do withought us knowing then whats to keep them from doing other more harmfull things withought us knowing im all for the counterterrorism measures being taken but i would rather live in danger than sacrafice my rights
srry, typing with DC controller
We seldom regret saying too little but often regret saying too much.
I sniff mine every day. Smells nice after having used that air freshener on it. Why shouldn't the
FBI be able to do it? They're people too.
Zorch released a statement two weeks ago saying that he was not interested in licensing his invention to the United States government at any cost.
Neither friends nor family have heard from Zorch for the past two weeks. His whereabouts are unknown.
The interesting thing about this case is the FBI invoking CIPA so they don't have to explain to the defense how the KLS actually did not violate the rights of the defendant. A secret meeting was held between the government and the judge. The defense was never allowed to know how the KLS actually worked because of "National Security".
Judge:
"So how do you know Mr. Public broke the law?"
Justice department:
"The super secret squirrel told us so"
Judge:
"The super secret whaaa???"
Justice department:
"Its secret, we can't discuss it, National Securtiy and all"
Judge:
"National Security, why didn't you say so..."
Once again the MAN takes a big bite out of our civil liberties! My problem isn't with what they did actually...it's with the arrogance they show. OUR government, under the guise of protecting US in reality is permanently eroding OUR freedoms. What's truly scary is that they feel like because they're the 'good guys' then they're allowed to 'bend' a law or two, to 'take away' a freedom or two...it's okay, because they're the righteous 'good guys', remember? To me, the line between good and evil gets very blurry when this kind of crap is allowed to happen. Is it okay for 'good' to act in 'evil ways' to catch 'evil'? I don't believe so. I don't trust law enforcement any more then the criminals! In fact, I think I may trust the criminals more...at least with them you KNOW what you're getting. You know what to expect. With the govt., you really don't know any more. Unfortuantly, too many people show way too much apathy these days, which allows this crap to fester. Our system of politics needs scrutiny, citizen input and checks and balances to work properly...to keep it 'honest'. That just isn't happening any more....and that's really sad.
How many people here would LOVE to catch someone in the act of futzing with their boxes? If they try this on someone who is halfway awake then the cat is out of the bag. One way or another, the software and physical devices involved are going to be revealed. If they're lucky, it will be "HA! HA!" cypherpunk style messages posted loudly to the net. If they're unlucky then organized crime types are going to have a joyous time feeding them misinformation. Mafiosi can employ good IT and security people too. If enough of this sort of thing happens then they certainly will.
Okay..so your argument is:. "Well, it's okay to take away a small amount of freedom for security's sake". Am I right there? Okay...that's fine..until the NEXT time comes around....and the NEXT time and so on and so on.... Then one day you wake up and find that a BIG chunk of your freedom is gone! Tell me..where do YOU draw the line?? How much freedom can be taken away before YOU think too much is too much? Searches without warrants? How about just bugging everyone? Do you even HAVE a line? Where is it? See, law enforcement (and I used to work in it) works on this premise: they zero in on a POSSIBLE suspect and then do their best to PROVE they did it. In other words, they employ 'tunnel vision'. They don't care if the person is guilty or innocent..all they care is can they get a CONVICTION! I know of proscecutors who KNEW who really DID a crime..and yet they put an INNOCENT PERSON IN PRISON for the crime..did you just hear me? They put a person in PRISON that they KNEW FOR A FACT WAS INNOCENT!!!! People complain all the time that guilty people sometimes go free. WELL...it also works the other way! Do you know how many innocent people are in jail? Let me assure you, it's a lot more then you think! There's even been a couple of people who have been PUT TO DEATH only to later find out thet they were innocent. But you think that's okay, don't you? Why not fry a few for the greater good, right? Until that day when they come for you, that is..... Let me clue you into something....by the time THAT happens, it'll probably be too late.
By about 225 years... "People who are willing to sacrifice liberty for security deserve neither".
If you really want to piss off would-be keyloggers, build a keyboard solution that encrypts the scancodes somehow, right inside the keyboard's encoder chip, so that the keypress info is undecipherable to any device hooked between your keyboard and the PC. Then sell the idea for thousands of bucks to mob kings!
-Billco, Fnarg.com
That cleverly placed to the side of the Scarfo piece is an ad for the Sopranos DVD? Its advertising in action... ooo...
Witty quotes suck.
what if you use a dvorak keyboard?
Others have rightfully mentioned that most stuff that goes out on the wire (like email) is often typed offline. OK, so maybe the judge didn't understand this subtlety and missed this point.
But it looks from the article that the FBI convinced him (and the defense) that by blocking the logger during the modem activity, truly "online" communications won't be looked at. Such as, say, intercepts of passwds from within a telnet window session.
My point is that it is not true as well! At least, if you have a 1-CPU box, and especially if the modem is a "winmodem", actual sending or receiving of data via the modem channel is not done simultaneously with the keyboard interrupt processing, because both are different CPU-intensive tasks (actually done in different level interrupt handlers.) For other OS+hardware combinations this also might happen, but I don't exactly know what the suspect had in his PC.
Also, sometimes, especially with things that fingers are used to, one can actually type things ahead of the transmission start into an online communication channel...
VKh
I fell pretty scared about these issues.
Think, FBI and CIA have fabulous resources, and they are claiming for more and more... However, they failed in preventing all tha greats tragedies that stroke USA.
Someone says Oklahoma? Timothy McVeigh? How about Terry Nichols and his Freemen movement? Why in the hell all that people wasn't investigated? Or they was, but FBI shutted their mouth?
Why give more money for people that don't know how to use the money they already have?
Why give more power for people that don't know how to use the power they already have?
Why we will, as always, pay with our freedom the mistakes done by the goverment?
you're the terrorist
I fear the forces of "law enforcement" far more than I do their new boogie man of choice, terrorists. I fear them more than I do drug dealers, kiddie porn perverts, communists, or any of the other boogie men used in the past to justify increased powers and decreased accountability or oversight.
What the government fears the people there is freedom. When the people fear the government there is tyrrany. Guess which scenario we live in?
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
It's not so much like the bag of dope on your car seat - it's more like them sneaking in your house, copying your car keys, opening your trunk, and finding the bag of dope there.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
There's a difference between the Feds sniffing the passphrase, which is indirect evidence, and sniffing the contents of the file as he typed it, which would have been more direct evidence had they done that. The Feds are trying to hide how they stole the passphrase, and they're arguing about exactly what kind of warrant is needed for stealing it (wiretap vs. search warrant), but once they've stolen the passphrase and legally obtained the encrypted file, they can use it to show a jury that the passphrase they stole decrypts the file into the text they're alleging that Scarfo typed which allegedly shows that he's a mobster. And if they'd simply guessed the passphrase (hint, don't use simple words or your father's prison ID # as your passphrase) they could have done the same. By contrast, if they'd used the SEEKRIT keyboardsniffer to snarf up the file itself, they'd have to tell the jury "Nicky really typed this incriminating letter, trust us, we can't tell you how we know that, cuz it's RILLY SEEKRIT, but we're the FBI and we'd never lie to you, so he's GUILTY GUILTY GUILTY", they'd have a much weaker case. (Any self-respecting jury would throw them out on their expletive-deleted for even trying that, but American juries often fall for that sort of thing, and judges fall for it even more often.)
US rules of evidence, since the early-1960s Supreme Court decisions which promulgated the "Exclusionary Rule", say that you can't use illegally obtained evidence, and there's a doctrine called "Fruit of the Poisoned Tree" which says that if you illegally obtain information that you use to obtain other information, you can't use that as evidence either. So if they'd beaten or tortured the information out of Scarfo, or if they hadn't had a warrant when they first searched his computer, they'd be unable to use it legally, which is part of why Scarfo's lawyers were arguing about the precise type of warrant they needed before stealing his passphrase.
On the other hand, if they'd gone asking around the mobster social club if anybody wanted to call in an anonymous tip with Nicky's usual passwords or offering get-out-of-jail-free cards to temporarily-retired mobsters in return for the passphrase, that'd be legal, and unlike the cases where stool pigeons give false testimony about people in return for reduced jail time, a passphrase is demonstrably either correct or incorrect. (And of course, an "anonymous tip" is often nearly indistinguishable from illegally gathered evidence used to obtain a search warrant.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Is not whether or not it's right for the FBI to intercept your communications. As long as they have a warrant, I have no problem with this, 4th amendment, 5th amendment or otherwise.
My problem is with judges who find probable cause in "Of course your honor, he's guilty, just give us the warrant and we'll prove it".
We live in a society that goes bonkers over any crime, remember how pissed most of you got when OJ was acquitted? Since judges are (unfortunately) politicians they have to do what society wants of them otherwise they'll never make it to the circuit court or the supreme court.
It will not change, because for it to change, most of us will have to want it to change, and that just ain't the case.
The saying used to be "It's better for 10 guilty men to go free than for 1 innocent man to go to jail." We used to believe that. Some of us still do. But when people are so easily outraged, so few of us actually voting on election day, and the desire of any reasonable person (judges included) to keep his/her job. Does this really surprise any of you?
Ok think about this.. The FBI gets a warent to be able to place this software on your computer, but how are they going to do this without breaking the "Terrorist" item that bush created... deaming that all "Hacking" "Cracking" or "Script-Kiddies" are deamed terrorists.. before you know it the entire FBI will be behind bars.. HA! What fun!
Not here.
Your call is compared to all the other outstanding calls and if they're busy they only go to the highest priority ones.
Many people here say they want to pay more of the relevant local tax so as to get more police, but the politicians seem not to believe them and don't do it.
BTW, anyone who doesn't really understand what the police do with their time might find it interesting to spend a shift riding (or cycling or whatever) round with their local policeman. Access to this service is likely to differ in different places, but I just had to ask nicely.
The FBI should have just waited until he started up AIM and got him then...
I really hate Dan Patrick.
Could virtual keyboards like the one offered by CryptoHeaven and E-gold defend against password sniffing trojans?
after reading the judges decision on the scarfo evidence ruling. This bit stuck out in my mind.
" Recognizing that Scarfo's computer had a modem and thus was capable of transmitting electronic communications via the modem, the F.B.I. configured the KLS to avoid intercepting electronic communications typed on the keyboard and simultaneously transmitted in real time via the communication ports. See Murch Aff., 6. To do this, the F.B.I. designed the component "so that each keystroke was evaluated individually." See id.
As Mr. Murch explained: The default status of the keystroke component was set so that, on entry, a keystroke was normally not recorded. Upon entry or selection of a keyboard key by a user, the KLS checked the status of each communication port installed on the computer, and, all communication ports indicated inactivity, meaning that the modem was not using any port at that time, then the keystroke in question would be recorded.
Murch Aff., 6.
Hence, when the modem was operating, the KLS did not record keystrokes. It was designed to prohibit the capture of keyboard keystrokes whenever the modem operated. See Murch Aff., 15. Since Scarfo's computer possessed no other means of communicating with another computer save for the modem, see Murch Aff., 6, the KLS did not intercept any wire communications.See footnote 55 Accordingly, the Defendants' motion to suppress evidence for violation of Title III is denied."
Does this mean that if we keep a stream uploading or downloading constantly, they can't use the keylogger against us?
thoughts ??