Forgot your password?
typodupeerror
Encryption Security Your Rights Online

FBI Bugs Keyboard of PGP-Using Alleged Mafioso 301

Posted by michael
from the pretty-good-break-in dept.
Sacrifice writes "The Philadelphia Inquirer reports on a criminal case which will challenge the authority of courts to permit FBI agents to surreptitiously plant keystroke-monitoring bugs, which are not regulated by current federal wiretap legislation. Also, David Sobel from EPIC notes that it is now a matter of record that the FBI can, and does, conduct surreptitious entries to counter the use of encryption (see FBI application for breakin and the court order granting permission)."
This discussion has been archived. No new comments can be posted.

FBI Bugs Keyboard of PGP-using Mafioso

Comments Filter:
  • Logic alone tells us that some so-called 'freedoms' are mutually exclusive. Under your system, I was denied the freedom to grow up sexually at my own pace. Thanks to some brain-dead jackass like yourself who thought I needed 'erotic training' as a child, I'm now a 30-year-old virgin being treated for sexphobia.

    Thank you very much. Please extend my thanks to the pedo community on behalf of all us victims.

    BTW, the illogic in your statements is frightening:

    • Being a member of a minority group doesn't automatically make you normal, whether you're pedo, Neo-Nazi, or worship Godzilla.
    • You're projecting your repression onto us. We don't think sex is 'inherently harmful' as you put it.
    • Don't confuse a subset with a superset. I would never (as you suggest) misuse the word 'pedophile' to mean a rapist or murderer, but I could easily use 'rapist' or 'murderer' to describe specific pedophiles.
    • Sexual contact with adults is neither the only way, nor the healthiest way, to educate children about sex.
    I'd like to believe you're just pathetically misguided, but we both know better. Pedo organizations work hard to pollute the public discourse on sex. Thanks for giving the Slashdot crowd a valuable example of the tradeoffs of free speech. While you're at it, why not make Mein Kampf required reading for all fourth graders.
  • by Anonymous Coward
    > It's a flipping shopping list. Who cares?

    > This is America! You aren't going to be persecuted for harboring seditious ideas.

    > Again, you're being paranoid. If you haven't done anything illegal, you have nothing to hide.

    Which America are you living in? 'Cause in my America, prosecutors use purchases of serial cables as evidence in hacker trials, and police crack down on every major public demonstration to prevent people from expressing views the government doesn't want to hear.

    It's naive to say that if you haven't done anything illegal, you don't have anything to worry about. Even if you're innocent, having to defend yourself against accusations in court can cause you tremendous emotional trauma, disrupt your personal and work life, and cripple you financially with legal expenses.

  • "I'd also agree that there's no such thing as a consenting child."

    Ah. Having been a minor not so long ago, I am quite familiar with the 'rights are only for adults' meme.

    What would you suggest as an age of consent?
  • by Anonymous Coward
    [Judge] And what are these pages of mysterious keystrokes I see on the transcript?

    [FBI] Your honor, our best cryptographers have struggled with this for 5 months, using elaborate supercomputer analysis, and couldn't crack the code. It must be an incredibly well-crafted keystroke encoding, requiring extreme training to use at the speed it was typed.

    [Judge] Defendant, can you tell us what it is?

    [Hacker] Yeah sure, I was playing Quake for 3 hours.

  • Nope, according to Title 18, Section 333 of United States code, if you render currency unfit to be reissued, you can be fined up to $100, and sent to jail for up to 6 months. Title 18, Section 331 specifies harsher penalties, if the act is done with intent to defraud.

    --
    "Don't trolls get tired?"
  • And how do you know the suspect is using PGP since you do not have a warrent for wiretapping. If they have a warrent to do wire tapper, lawfully and correctly obtained (even if it turns out to be based on what turns out to be a false lead), then they should be able to bug the keyboard. Otherwise they do not have that right.

    Suspicious activity is not reason for a warrent, unless a crime has been comitted. Planning to comit a crime is not a crime, but commiting the crime is. (And when a plan can be shown then the crime is generaly greater)

  • even a BIOS password would not be safe.
  • Interesting... but then they would only have to say that they've tapped the keyboard, present the decrypted data, confiscate the system for evidence, and then, maybe, install the keyboard monitor.

  • It's expensive now, but it won't always be. Technology gets cheaper all the time. They can do it to 1 person in 10,000 now -- in ten years it might be 1 in 5. They might be able to lean on keyboard manufacturers to install keystroke monitors on ALL computers.

    Think about it.
  • Who types their shopping list anyway?

    Perhaps into the palm desktop to sync, but just to print out, I mean, come on... And if you can sit down and type it in one sitting do you really need the list?

  • > do you keep your laptop in a safe at night?

    I guess it's enough to just never turn it off, and when you're not physically close, run a screensaver lock. While not guaranteed to work against everything (but what is?) it's rather doubtful that trying to patch such a device on wires of a running computer wouldn't create a system lockup, at the very least. In such event, when you come back and see your system rebooted or locked up, you know something has been wrong and you can examine your drivers, weigh your computer and so on (in the order of increasing paranoia)

    > Why You Should Use Encryption

    On the other hand, you might read the Brin's book, "Transparent Society", on why everybody should have a right to spy on everybody else. Or read his essays on this topic at www.kithrup.com

  • In case you ever have the legitimate need for logging keystrokes you can purchase a plug and play device at www.keyghost.com [keyghost.com] . This device connects between the keyboard and computer and looks like a small keyboard adapter. They also sell versions where the device is integrated inside a keyboard. It can later be unplugged, activated via a password and then replay the keystrokes.

    I don't condone the use of such a tool, but people should be aware that this stuff is readily available.

    regards,

    Heiko
  • Actually, I work from home so neither my laptop nor any of my computers are ever out of my site other than the few hours per week that I'm out of the house.

    Of course, another cool tool would be something that would generate random crap when your computer is idle so that when the little bug tries to upload data to its home -- all they get is about 80 words and 1,999,980 random keystrokes.
    ---
    seumas.com

  • If I haven't done anything illegal, I have nothing to hide.

    Pardon me, but please let *me* decide if I want to hide my personal life from the state or not. Or better yet, please respect others right to keep their personal life to themselves.

    There is no law that protects my right to a private conversation to my brother, but it is a right I'm not ready to give up. I'd rather see 100 criminals walking free than my rights to private life taken away.

    --
    Why pay for drugs when you can get Linux for free ?

  • Perhaps PGP should be modified. You should have two pub/private key pairs, one for sending and signing, and the other for sending stuff to you (i.e. you'd only read with it). You could then sign your "reading" key's pub pair with your "signing and sending" key to show it's really you. Then, they could get a court order to only retrieve your read key.
  • A keyboard cipher would be subject to attack by pattern matching...
  • Here's a tip for those interested in really keeping your shit secret. Secure communications are a start but don't counteract things that are purely physics problems. Computers are noisy little RF emitters and with the right equipment you can pick up these RF emanations and translate them into data. To keep the FBI and others away from your computer use a laptop and keep the fucking thing with you all the fucking time. Encrypt all the data on it and keep the keys with your lawyer (have him keep them as part of attourney-client privilages). Besides keeping everything encrypted, keep everything encoded. Speak in code and write in code, codes that are indistinguishible from noise. Once you turn your computer on, do so inside of a shielded room and connect things together with shielded cabling. Monitor all lines coming into your house and keep records of attenuation. A quick search of google about TEMPEST, Van Eck phreaking, or electronic surveilance can provide you with lots of info to defeat eavsdropping. Tell the J. Edgar's to go fuck themselves.
  • So you'd need a "smart" keyboard to do that -- and even that won't work, if the put the tap between the smart part and the keys.

    Even so, opening up a nonstandard keyboard and putting in a bug that somehow integrates with it, takes a hell of a lot more effort/time/risk than sticking a ready-made inline PS/2 adapter. One can be done with a quick breakin and 20 seconds of work, the other takes a recon pass breakin to see what kind of keyboard it is, research on how to bug it, and then a good amount of time onsite to install the mod. A lot more work for your FBI / Industrial Spies / Blackmailer to do.

    A crypto keyboard is a good idea.


    ---
    • Use keycaps to mouse out all your ilicit messages
    • If they intercept your PGP passphrase, all the encrypted communications they've intercepted already can now be decoded.
    • I bet you could rig up a pgp keyboard, but then they'd just put actuators under the keys themselves.
    • Use a Bluetooth keyboard with encryption, and keep the keyboard under your control at all times.
    • Use a laptop (see above)

    Kevin Fox
  • by mindstrm (20013)
    But why does everyone keep saying that? THe article *very clearly* states that the feds did this WITH A COURT ORDER.

    They can no more tap your phone without an order than hack your box without an order.... I don't see what the big deal is here.
  • This is fundamentally different than planting a bug or hidden camera? How's that work?

    No. The fibbies do NOT have to leave a copy of the warrant on the scene; this wasn't a search warrant, this was an order to do surveilance.

  • Dude, if I were to sneak into your house undetected, and open your keyboard, and actually add in some small electronics to capture keystrokes for later retrieval, how exactly would you 'know' it was there without actually taking your keyboard apart? Are you some kind of psychic?

    Also, if you are not at all expecting someone to have planted a keystroke monitor on your computer, how would you detect it even if it was software? I mean, you might not even LOOK. And to boot, especially if it's windows, it may be far from obvious.

  • He says 'combined with other evidence gathered, this gives probable cause that his computer is being used as part of illegal activity'.

    They did not say 'pgp makes him guilty'. They said that, in addition to everything else he does, it's probably cause.

    Having a crowbar does not make you a thief. Being viewed purchasing tools that are also associated with break&enter crimes, as well as having other evidence that seems to point to a life of crime WOULD be probable cause to think you are committing a crime.

    Get off the high horse.

    Software + OTHER STUFF = probable cause is NOT the same thing as
    SOFTWARE = INTENT.

  • And how is a keystroke logger different from stealing and replacing a typewriter ribbon?

    Typewriter ribbons and carbon paper have been used as a source of text [asqde.org] during investigations for decades (plastic or film ribbons since 1959). The FBI teaches ribbon examination [fbi.gov]. There are cases [tcbd.com] with ribbons as evidence [state.mn.us].


  • gnupg wouldn't page the memory to disk.
    It uses mlock
  • Encryption will not save you, when a keyboard logger is used, it logs what you type in at the keyboard, thus they can capture your password and passphrase, this is a very old thing, I wrote one in 1994 for MSDOS, There is one for sun, and I am sure there are many out there. I came across a site, where some guy built a very small matchbox sized hardware that does this, and stores around 1000 keystrokes. There are many weak link in a computer, if the OS is 100% secure, is the keyboard and monitor and all external hardware devices that the OS cannot control?
  • Perhaps you hold political opinions that are unpopular with the current administration. Maybe you have your local mayor upset at you for campaigning against him last election. Maybe you are a journalist who has published stories that upset the FBI. Perhaps your ex-girlfriend has taken a job in the local field office.

    Prehaps you happen to know about questional activities by people in "authority".
  • People involved in even the most peripheral way in committing drive by shootings should be tortured in the most heinous way possible on live tv before being cut up into little pieces and blasted into the sun.

    How is this going to happen, at least one of the companies concerned survived having an atomic bomb dropped on one of their facilities.
  • Witness the most recent example, internment camps for the Japanese and Italians during world war 2. This was the cause of a direct exectuive order! Or how about all the people arrested during WWI and the period right after for being communist. There was even a law passed by Congress saying they could! Look up the Alien and Sedition Acts.

    So much for the much trumpeted written constitution.
  • In that case, you will support open ballots for all future elections? We can have everybody sign, date and address their ballot, then, if there is any question as to their intent, we can just call them up and ask them how they voted.

    There must be easier ways to test if the telephone system in Florida needs upgrading :)
  • To use a laptop which can be kept in your physical presence at all time. If one was going to do something illegal and needed to keep records which would clearly attest to the illegal thing, wouldn't you want to keep a close eye on those records? ie, a laptop or a palmtop? If it's on your person, the FBI would have a very difficult time getting to it without your knowledge.

    ----
  • This is precisely why any attempt to build surveillance capability "into the infrastructure" should be firmly rejected. The cops can do surveillance on a case-by-case basis -- but it requires them to do actual work and puts them at some risk of being caught if they do it illegally, both of which serve as checks against fishing expeditions.

    If the DNC offices at the Watergate could have been bugged by pushing a button in the White House while G. Gordon Liddy took a nap at home, we probably would not know about it to this day....
    /.

  • Want to know how to defeat this "logging" for your "surepticious" behavior? Simple - don't use a keyboard.

    At least not in the normal sense...

    First off, since they are doing a B&E to set it all up (heck, even with a warrant you should do this), first make sure you set up some kind of ultra-secret hidden cam recording movement (hide it in the ceiling or wall - use a pinhole type camera, mount it to NEW wallboard right over a pinhole, then mount the new wallboard. Break up the wall with pictures, wall hangings, carpet). Don't tell anyone about it. This will let you know if something hinky is going on.

    Next, since they are likely tapping one or more of four spots (the keyboard, the interconnecting cable, the motherboard connection, or OS hooks with a software logger), you need a way to bypass these. A good way would be to build a simple encrypting keyboard (or even a complex one), and a special card for the PC, and drivers to read it.

    Another way would be to set up a serial console to do everything from - use a funky terminal not in great production anymore (a real VT100 or ADDS, or something similar - Olliveti?). Perhaps you can encrypt the serial comms as well. Maybe set up UltraTerm on a CoCo 3, serialized over the RS-232 pack to the console serial port on the box (that should confound them!).

    Use an optical keyboard, with custom "encryption", perhaps. Mark your keyboard with an identifying mark. Put a seal on the keyboard, or over screw holes to detect "modification". Same with the case. Add locks to the case. Add an alarm.

    Here is a funky idea - set up the "computer" to be a dummy with an alarm (or other nastiness), into which the keyboard is plugged into. Using cat-5 and a "dummy" network card, route that out to another "dummy" network card in the real computer, with that dummy card hooked up to the keyboard header of the real machine (thus the actual machine looks like it hasn't got a keyboard attached). Set up a current monitor to notice drops in current on the keyboard "port", with alarms and such to notify you.

    Here is one - rewire the keyboard port and keyboard (and any interconnecting devices - keyboard switchers/extenders might need to be taken into account). Swap the wires and connections around (might be a pain at the motherboard end). Done clean and right, it would be a mess for them to sort out *on site* - heck, they might not even notice it (think they do wire tracing to make sure the keyboard is standard - perhaps, perhaps not). Maybe even use completely non-standard connectors. Maybe go so far as installing a non-standard (keyboard wise) microcontroller in the keyboard, with custom coding (combine this with the other tips, like "encryption" and such - one hell of a hack).

    Do I really think any of these would stop the FBI? Naw - but it would make their lives at least a bit more miserable. Perhaps it would confound them enough to make them come back later - given enough covert surveillance on your part, you could destroy the machine (or change it!) in the meantime...

    Worldcom [worldcom.com] - Generation Duh!
  • But considering that affronts to our (American - but hey, all this can apply to other countries as well) Constitutionally protected rights - rights that the authorities and legislators seem willing to dismiss - rights that most people have forgotten they even have...

    Considering all this - we should be more paranoid - not less. It seems every day I hear or read about something that convinces me further that we are falling into a police state form of government. Something has to be done. Today it wasn't me, tommorow it probably won't be either.

    Someday it might be - better to be prepared now than wait until it is too late...

    Worldcom [worldcom.com] - Generation Duh!
  • >Why is it illegal to possess a photograph of an illegal event?

    the reasoning is probably something like this:

    we don't want to create a market for child-pornography, since this would partially legitimise the making of child-pornography. by allowing the product, you encourage the producer. making a CGI of child pornography is probably to make it easier to apprehend the real sick bastards. a picture of a kid in the nude isn't child-pornography, btw. there must be a 'sexual act'. Otherwise, your mom would be a criminal for keeping all those baby-pics around (and showing them to your gf)

    //rdj
  • The article missed one important point -- they were intercepting communications!

    Sorry. The only "communications" protected by the wiretap law is voice telephone conversations. "Commnuncations" between the keyboard and the computer are not included in that definition - nor are e-mail with other people, nor conversations with other machines.

    The way the law currently works is that it is extended to protect new technologies - either by explicit legislation or by court precedent. So new forms of communication are UNprotected by default. Maybe you'd LIKE the default to be the other way, but in practice this is how it is.

    By tapping communications on the the cutting edge tech, where no law has gone before, the FBI gets to spy until a court or the congress makes them stop.
  • Remember when McCarthy made Communist mean "daughter-raping baby killer"?

    Charlie Chaplin lived out his golden years in the south of France because of Mister McCarthy and his little campaign.

    Not that this refutes your core argument in any fashion. But the old joke about the difference between being British and American is that the British think a hundred miles is a long way, and the Americans think a hundred years is a long time, is fitting here.

    Some will see an example from the fifties as more compelling than one from the early forties, less able to shrug it off.

    -
  • Hetro/Homo/Bi-sexuals have sex with other adults

    Nope. Write consenting adults in there, and I'd agree. I'd also agree that there's no such thing as a consenting child, so having sex is impossible for a pedophile, but other than that, there really is no difference between hetro/homo/bi and pedo. That fact that some pedo's still have sex with kids is simply a legal matter, send them to jail, just like hetro/homo/bi who have non-consenting sex (or let's call it what it is, rape) with others.

  • Increasing FBI monitoring powers is wrong because the court that hears wiretapping requests always agrees with the FBI that a suspected criminal is anyone the FBI says is suspect. Meanwhile, protecting yourself from the keyboard monitor is trivial. Never type anything critical on a computer electrically connected to anything else. Need to communicate? Use sneakernet to carry a disk with the encrypted message to a computer that is connected. Think you need more protection? Have a nice day.
  • Perhaps, although if you want to get really technical, an email isn't communication until it's sent. The FBI is doing the interception before that happens, and they see no incoming emails with this scheme. It's rather akin to bugging a room where someone's talking on the telephone.
  • In the case of my keystroke recorder Last Resort [webcom.com] it was an operating system patch that ran as a bit of boot-time software that loaded some code into memory, patched an OS trap and then exited with the patch still resident.

    With NT, you can hit ctrl-alt-delete and look at the processes. With *nix, you can do "ps".

    But really you need a list of all the drivers that are active on the system, and on a modern OS there will be lots of them.

    This is particularly pertinent to something like Linux because anything that's installed as a driver runs in the kernel and can basically do anything it wants. Is there even any user id boundaries for a driver, or does a driver effectively have root priveliges?

    Really what you'd have to do is make a list of what is there when you get the system configured the way you like and then monitor for changes to this list.

    BTW - a common security hole in a lot of Linux installations is that you should have all the kernel source owned by root and do the compile while logged in as root (don't run X as root - su in a shell window). That way no one can tamper with your modules.

    If you build your modules as an ordinary user and install them, there's more of a possibility someone could overwrite them with a crack.


    Michael D. Crawford
    GoingWare Inc

  • I'm suprised that 'conspiracy' charges can be used not just for prosecuting criminals, but for extending sentences, pressuring people into testifying, and sometimes as a form of prior restraint.

    Think about it this way - if we have a conversation about poisons, and you know I am trying to get back at someone, you might assume that I intend on poisoning this person. But what if I am an author, and I need information about poison to make my book realistic? Or if I am researching for a thesis on the subject? Or if I am just interested in the subject?

    Conspiracy should never be a charge without a hell of a lot of evidence that the crime was, indeed, about to take place. And if a crime takes place, that should be what is prosecuted. Conspiracy charges are another way to suspend liberties.

  • "odds are you are a criminal and OUGHT TO FACE THE DUE PROCESS OF LAW. This is not a game where the cops have to guess that you are a criminal, and somehow charge and prosecute you without touching you or your property"

    No, this is a game where the federal authorities get annoyed that you aren't doing anything wrong, so they find something unrelated to charge you with to justify their effort. Read the Hacker Crackdown (e-text is available online for free, and dead-tree-text is still in print AFAIK) if you want an extensive brief summary.
  • Well, that is a huge problem. When a judge or somebody gives the ok for a search warrant (ie, sneak in) he may not understand all the circumstances. Face it, judges probably know dick all about what is right or wrong on the internet. All they can do is horribly apply what they know to each circumstance they come upon. I wouldnt be suprised if they just start handing out search warrants left and right just because they dont understand what they are really doing.

    eg1 )

    FBI wants a search warrant. They tell the judge the current situation that Mr. S. Kiddie was found talking about hacking utils that were used in some major .com corporation crack . The judge would then authorize the search warrant because there is reasonable and probable grounds that he was the one that did.

    How is this different from being suspected to have a gun that matches the description / make of the one that shot some guy? This person probably linked somewhat to the case, say, a neighbour or friend of the family? How, from a judges perspective, is this different from having the weapon "cracking util", and the link to the case "being one of those pesky internet hackers".

    When a judge applies his knowlege and the constitution to something that was complety foreign during the time its conseption, there is bound to be a disrepencies here or there. Its simply just another situation where law is being misapplied to something that it was never thought to be under the juristiction at the time.

    (excuse me bad speling plus gramar)
  • The suspect uses PGP. Like many other cryptographic systems, his email, stored messages, and other information the FBI would like to use for evidence are stored encrypted.

    The FBI could obtain a search warrant for his computer and email messages, but this would only get them the encrypted messages, and the encrypted version of his decryption key.

    The ability to "wiretap" his keyboard is the only way (short of torture, or taking several years to brute force the key) to obtain the "passphrase" that unlocks his encryption key, turning all of that meaningless random data into human-readable incriminating evidence.

    Personally, I tear apart my PC every week or so (not solely from paranoia), and I think I'd notice any extra little boxes on the keyboard port.

    Between that and keeping the machine in my hidden copper mesh closet with filtered DC-power and fiber-optic ethernet under 24-hour gaurd by a specially bred pack of mute doberman attack dogs, I'd say I'm fairly safe.

    Just remember- always ground your faraday cage to a cold water pipe!4

  • by TheCarp (96830)
    While that sounds nice, I somehow doubt the FBI is going to resort to a remote compromise to break into a system, just to place a wiretap program.

    Chances are they will enter the premises when you
    arn't looking and either add some sort of transmitting dongle, or put the program on that way.

    Another reason to use linux really... it would require them to actually break in. They would have to break into root to actually hide anything. (of course if they bring it up off a floppy - how will you know that it wasn't a power failure or failing power supply that brought it down and ruined the uptime?)

    Of course, noone bothers to look but - you would be able to see a dongle. (Unless it was internal - which might require shutting the machine down anyway (my case can't be opened without unplugging it - due to power cord/desk arrangement)

    -Steve
  • Hey, why not skip regular typing and only do copy-paste instead? At least for the sensitive pieces...
  • The fact that the only thing of value to the FBI from my keystrokes might be my shopping list is irrelevant. The same argument can be used in stating that people should have no problem with government agencies monitoring everything they do for no reason at all.

    I'm not trying to say that FBI having the ability to monitor people's keystrokes is a bad thing though. It is only a minor expansion to its already existing powers, most of which are in my opinion, necessary.

    It is however, dangerous to use this type of thinking when deciding on an issue like letting someone take away people's rights.

  • One problem that arises here, for the FBI at least, is that most of the time they will only get half of the story. Sure, they can read my keystrokes.. but what good is that when my keystrokes are "p i n e" to check my mail from my mob boss. As long as I reply with "yes, I will deliver the goods" rather than "yes, I will kill your wife" I'll be in good shape. For any smart criminal, I would think it would be standard practice to speak with in a non incriminating manner. Besides, I wouldn't expect my computer to be any safer than my phone, especially if I was a novice who doesn't know how to cover my "digital ass".

    -gerbik
  • Is there a way in (insert os of choice) to see *all* the apps which are running? Processes,threads,tasks,interrupts,tsr`s etc. If you could see them all, wouldnt that reduce the risk of keystroke loggers?
  • Interestingly, the supreme court just ruled [cnn.com] a few days ago that traffic checkpoints to search for drugs are illegal. Dissenting were Chief Justice William Rehnquist and Justices Clarence Thomas and Antonin Scalia, George W. Bush's favorite supreme court justices. Rehnquist said the checkpoints only involved a "minimal intrusion on the privacy" of the occupants of the vehicles. If you think your privacy rights are bad now, just wait until Bush stacks the supreme court with "strict constructionism."
  • Again, you're being paranoid. If you haven't done anything illegal, you have nothing to hide.

    Are you saying you've never done anything illegal?
  • Unless he was smart, and stored his encrypted key on a disk or (probably credit card sized) cd. Then the passphrase won't do them any good, will it?
  • trading constitutional rights away is NOT something that should be taken lightly.

    the old exuse of 'its for the good of all that we sacrifice some personal rights' just doesn't cut it. its the lamest one out there. don't accept it.

    and besides, what have {mob bosses, terrorists, and child pornographers} ever done to YOU? personally, I'd trust these guys over the FBI any day.. at least they're up front and will tell you exactly what they want and how they're gonna get it. not quite so with the ultra-squirmy and above-the-law MenInBlack..

    --

  • even people with backgrounds that might lead to anti-government sentiment have been rounded up and put into prison, internment camps, etc.

    whew - I think I need to stop reading slashdot in the early AM hours. I could have sweared that you said:

    put into prison, INTERNET camps...

    actually, an INTERNET CAMP sounds kinda fun. maybe I'm just a no-life geek. yeah, that's it.

    --

  • >Calm Down!

    Totally agreed. The FBI clearly explains they want the warrant to get the guy's password, not so they can read his love notes. This is no different than the FBI drilling the lock to a safety deposit box with a search warrant, if you ask me.

    Which brings me to my next point:

    >Which is more important.. ...or protecting yourself from having some FBI bureaucrat reading over your shopping list?

    That is wrong, IMHO. For the same reasons it is wrong for an FBI agent to abuse his power to check out the family jewels in my safety deposit box for his amusement. Search warrants aren't to spy on items that make no litigious sense (and a shopping list is not good evidence unless it includes copious amounts of fertilizer and gasoline). They are to gather evidence against serious criminals.

    I think there's a fine [undefined] line between protection and spying. Breaking the law defines that line.

    Just my 2 cents.
  • you're being paranoid. If you haven't done anything illegal, you have nothing to hide

    In that case, you will support open ballots for all future elections? We can have everybody sign, date and address their ballot, then, if there is any question as to their intent, we can just call them up and ask them how they voted. And anyone who wants to know how anyone else voted can just request copies of the ballots through the freedom of information act.

  • Again, you're being paranoid. If you haven't done anything illegal, you have nothing to hide.

    Unfortunately, the real world doesn't work like that. It took the WTO protests to make it clear that vocal oppostion to globalisation was not sufficent grounds to label you a probable terrorist and have your home invaded.

    Protesters aren't a good example in that a lot of people hate them with a vengence and think they deserve to have their rights violated, but protesters are good example in that they so clearly do have something to fear while often clearly having nothing to hide.
  • The _possibility_ of a secret key being released can actually be quite devastating.

    "And finally Your Honour, we present as evidence the defendant's key, obtained from his home by the FBI" and now on public record.

    If the MPAA's elite pack of lawyers can f*ck this one up (deCSS), I'm sure the FBI can manage it routinely :-)
  • So, it's pretty clear that in the end, government nosiness is a good thing. Think about it.

    Of course it is. Look at the old Soviet Union. The Soviets prided themselves on having cities that were safe enough for women to walk around alone at night.

    I think the police should have the right to enter your property at any time they see fit without a court order. That way we can rid this country of drugs, child pornography, weapons, "subversive" materials. After all, you shouldn't have anything to worry about if you haven't committed a crime.

  • but the fact of the matter is that the FBI had a court order here! They had every right to tap this guy's computer.

    Had you bothered to read the article, you would have noticed that it spent several paragraphs explaining that the FBI only had a search warrant. Furthermore, it explains that a traditional wiretap order requires a higher degree of approval (both the attorney general and the court) than a search warrant. In short, they bugged his computer when they would've been overstepping their legal authority to bug his phone.

  • You could make it more difficult by using a pass phrase that you commonly use in normal computing.
    "killall netscape" perhaps :-)

  • Correct me if I'm wrong here, but here's how this reads to me.

    FBI request : There's this bad mafia guy. We've got reasonable proof that he's doing Bad Things (tm). Instead of a phone tap, we'd like to do a computer tap to collect enough information to get him.
    Court order : Yup, he's bad. Go get 'em.

    That doesn't seem too crazy. What seems almost silly is that they ask for permission to install software, HARDWARE, and FIRMWARE?!?! Ok, anyone who can't tell well enough that someone has been messsing around with their boxen physically and put in new hardware shouldn't consider themselves very sneaky and need to get out of the Bad Things (tm) business. I mean it's like coming home and having a new random ceiling fan appear in your living room with a silver orb in the middle instead of a light globe(think mall security) and a mic for a pull cord. Duh!

    As long as the FBI still have to get court orders that need to show reasonable proof you're doing something bad, I don't see privacy issues getting too bad. It's just when they're allowed to have manufacturers install hardware to transmit everything you do to a data base to try an filter out what illegal activity might be going on (be wary those adopting wireless LANs)that I'll get somewhat worried.

  • I consider often the stuff on my computer more precious than what I would say in a phone call. The work on my computer is much better thought out than a phone call and therefore could be much more incriminating.
    I think that key-stoke monitoring needs to be at least as protected as wire-tapping by laws.
  • The court order, however, did authorize the FBI to "install and leave behind software, firmware, and/or hardware equipment which will monitor the inputted data entered on Nicodemo S. Scarfo's computer by recording the key-related information as they are entered." So, they agents had a valid order from a judge of competent jurisdiction, so in their minds, what they were doing was legal. OK. Fine. The interesting bit, as I see it, is that in essence what they acquired was a non-expiring search warrant on a persons computer. That is a really neat trick. And you all thought that hacking *nix was cool, hacking the law, now thats a feat! Seriously though, as I understand it, don't the fibbies have to leave a copy of the warrant at the scene? If so, wouldn't it have been wise to read it? If so, then would'nt it have been even wiser to hire a geek to check out your system, and "flush" everything (except your bookmaking files of course!). Just a thought.
  • Actually, the Hoover administration got something of a bad rap. Admittedly, it's somewhat arguable that they did get a bit overzealous at times, but those were generally isolated incidents, blown way out of proportion by the "yellow journalism" that was so prevalent at the time.

    What's more, I saw some very interesting statistics just the other day (Of course, I can't find the link now!), that showed a very dramatic reduction in certain types of violent crimes that began shortly after Hoover took charge, and ended again just as he left. So, it's pretty clear that in the end, government nosiness is a good thing. Think about it.

    --

  • I think you're serious, so here's my answer: It is more important to me to protect myself from having FBI agents (not bureaucrats, agents)
    They may be "agents" in name, but that doesn't mean they're not bureaucrats in reality. Honestly, you think the guys that took down the Montana Freemen or those cult memebers in Waco are the same guys who sit in a lab deciphering the output of little elecronic devices? Really.
    reading my shopping list,
    It's a flipping shopping list. Who cares?
    my political manifestos,
    This is America! You aren't going to be persecuted for harboring seditious ideas.
    my notes on how to protect myself from script kiddies (proof positive that I'm a hacker, after all),
    Again, you're being paranoid. If you haven't done anything illegal, you have nothing to hide.
    and my (probably) fictional account of Dubya and Jim Baker exchanging bodily fluids (not intended for publication).
    Well, now, that could be libelous... but again, if you don't acutally publish it, you're perfectly safe.
    The FBI has proven that it is not above using its power for political purposes.
    Details instead of vague accusations, please?
    If the FBI were not free to violate the 4th amendment, we wouldn't have anarchy -- we'd simply have a tolerable FBI. Do you really believe they'd have (your words) no power if they had to respect the 4th amendment?
    Read the Fscking article, man! They did respect the 4th amendment. They had a court order!

    --
  • by Anonymous Coward on Tuesday December 05, 2000 @08:26PM (#579324)
    I don't think you are aware of the FBI's history with repect to monitoring its citizens. An example of recent events was shown on Monday night's 60 Minutes. [cbsnews.com] Two citizen's are in jail right now because of 24 hour FBI monitoring allowed by the law (when the law is misapplied). The FBI went to great lengths to misapply the law.

    "notable for its lack of evidence" [washington...center.org]

    "a secret court made up of anonymous judges" [mediafilter.org]

    "secret permission can be obtained to break in and tape conversations without Fourth Amendment guarantees" [shepherd-express.com]

    In this example, the FBI had a court order -- a secret court order -- giving them every right to tap these guys' lives.

    Your slippery slope argument of total anarchy resulting from the FBI not being allowed to invade the privacy of U.S. citiznes is ridiculous.

    I am a lot more concerned about the FBI reading my personal files and deciding I'm a criminal and the consequences of that than any "mafioso", child pornographer, or terrorist. Unlike the latter group of "criminal" elements, the FBI is actually in a position of power such that it can destroy my life if the FBI so chooses.

  • by bluGill (862) on Wednesday December 06, 2000 @06:02AM (#579325)

    Amendment IV

    The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

    Amendment IX
    The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.

    Amendment X

    The powers not delegated to the United States by the Constitution, nor prohibited by it to the states, are reserved to the states respectively, or to the people.

    I can secure my papers against unreasonable searches and seizures. Email is just modern paper. If I send it to my brother I can secure it.

    Not all rights are mentioned in the bill of rights, as the document specificly allows, which are despite not the lack of mention still retained by the people. Thus the right to private converstation, or for that matter privacy itself is still a right even if not mentioned.

    The US goverment is not given right to take away those rights.

  • by Millennium (2451) on Wednesday December 06, 2000 @03:58AM (#579326) Homepage
    If the FBI can get a warrant to bug a specific person's keyboard, I've got no problem. It's no different from any other kind of search.

    What bothers me is that the FBI doesn't seem to want to have to bother with warrants. They want to be able to just tap at will (as evidenced by previous attempts at laws to get the ability to search without a warrant), and that's just plain wrong. They've forgotten that there are more important aspects to the law than enforcing it; the law is there to protect the people from others... including law enforcement.
    ----------
  • by Seumas (6865) on Tuesday December 05, 2000 @08:38PM (#579327)
    There has to be a way to implement some manner of encryption between the keyboard and the OS, in which the keyboard mapping is jumbled and re-constructed via a random mapping once it reaches the OS. I'm no hardware expert but I would think some sort of device could act as an interface which the keyboard plugs into. Add some software to the PC and there you go.

    Just a thought. Maybe it's a dumb one.
    ---
    seumas.com

  • by Goonie (8651) <robert.merkel@be ... ra.org minus bsd> on Wednesday December 06, 2000 @12:09AM (#579328) Homepage
    Anybody who knows *anything* about computer security (including reading the PGP documentation) should know this is possible.

    If this guy really was a Mafioso and didn't realize this kind of thing was possible the Mafia really need to hire somebody who knows the fundamentals of information security. My hourly rates are reasonable, and I'll take payment in the Cayman Islands if it suits :)

  • by mpe (36238) on Wednesday December 06, 2000 @02:59AM (#579329)
    If you haven't done anything illegal, you have nothing to hide.

    Wrong way around, if you havn't done anything illegal then the state has no business snooping in the first place.
    The idea that given the power the state will only herass criminals has been proven time and time again to be nonsense. Indeed criminals are typically way down the list...
  • by Tau Zero (75868) on Wednesday December 06, 2000 @06:51AM (#579330) Journal
    Meanwhile, protecting yourself from the keyboard monitor is trivial. Never type anything critical on a computer electrically connected to anything else. Need to communicate? Use sneakernet to carry a disk with the encrypted message to a computer that is connected.
    I don't think you read the articles. The FBI put a keystroke monitor (which can potentially record 32M keystrokes) onto the subject's computer. The data were being tapped directly at his keyboard; avoiding any transmission outside the computer would have done nothing to prevent its interception.

    Real lesson: if you want your data protected, don't put it in a computer.

    Putting a flash-based keystroke recorder into any detached keyboard would be a relatively simple matter; you get power and data directly from the cable and stash the data on the card. You could send the data to an external device using something like Bluetooth. If it was done to your keyboard, how would you detect it? Do you have seals on the case and examine them every day? I sure don't.

    I think the lesson here is actually one of guarded optimism: breaking PGP is still beyond the FBI, so they have to use physical intrusion to get access to the keys. This burden makes it utterly impossible to perform fishing expeditions on encrypted e-mail or computers in general (Van Eck/Tempest monitoring notwithstanding). I feel a whole lot better about this than I do about things such as Carnivore.
    "
    / \ ASCII ribbon against e-mail
    \ / in HTML and M$ proprietary formats.
    X
    / \

  • by goingware (85213) on Wednesday December 06, 2000 @02:37AM (#579331) Homepage
    The VAX/VMS screen editor (what was it called?) would save a journal file that was a literal transcription of all your keystrokes, and a copy of the original file.

    If the machine went down or you got disconnected without saving, you could replay the journal file to recover your edits.

    The cool thing was that this worked by literally replaying your keystrokes back into the editor, so you got to see your edit session happen over again at high speed.

    So I quickly found I could make zippy little ASCII animations by laboriously editing out frame after frame of the pictures in an animation and then turning the terminal off when I was done. Turn the terminal on, log in, and replay the journal! Better than animated GIFs! Kids these days... Much to the chagrin of many people who thought they had kept something a secret, Microsoft Word does this too, with its "Fast Save" - it just saves deltas of each edit, rather than the whole file each time you save. It just does the replay in memory when it opens the file, but it is possible to see the changes, not just with a low-level editor but with Word itself. From The Forum on Risks to the Public in Computers and Related Systems: [ncl.ac.uk]

    I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written. We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience.

    It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

    This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.


    Michael D. Crawford
    GoingWare Inc
  • by Greyfox (87712) on Wednesday December 06, 2000 @05:54AM (#579332) Homepage Journal
    They're already working on this technology... to allow the signal between your computer and your monitor and speakers to be encrypted. This is being done to protect media from pirating by you. It should be easy enough to adapt the same technology to work between your keyboard and your computer.

    That, plus a Linux box that can only be booted from a floppy that you have on you at all times, plus some encrypted file systems that you unmount religiously when you're not using them would be a pretty tough nut to crack.

  • by Mick D. (89018) on Tuesday December 05, 2000 @09:14PM (#579333) Homepage Journal
    eggs

    kitchen timer

    matches

    flashbulbs

    batteries

    kerosene

    glass bottles(emptied milk or juice bottles will due)

    tubing

    several feet of wiring

    anarchist's cookbook

    (Begin Rant)Whether these things are for a science project or some nut with half a brain it is their right to WRITE IT in private without some other nut with the other half of the brain breaking the door down when a VegiOmniCarniWhateverBot starts blaring "Danger Will Robinson, Danger Will Robinson!"(End Rant)

  • by Nonesuch (90847) <nonesuch@@@msg...net> on Tuesday December 05, 2000 @08:48PM (#579334) Homepage Journal
    I'm not sure if it's a solution, but it certainly is possible to implement a cryptographic keyboard.

    When I read stories such as this one, a saying common in the security industry immediately comes to mind:

    Physical access trumps all.

    If the "attacker" (in this case, the FBI) can obtain physical access to your system, just about any protection can be broken. Perhaps with a laptop that you keep on your person at all times, you might be able to feel secure, assuming you can trust the operating system, the laptop manufacturer, the CPU and auxillary chip production plants, and the original chip designers.

    Stare too long into the abyss of paranoia, and the abyss starts to stare back...

  • by Nonesuch (90847) <nonesuch@@@msg...net> on Tuesday December 05, 2000 @09:16PM (#579335) Homepage Journal
    If you use computer software with predominantly benign uses (i.e. PGP) to hide evidence of criminal activity, you run the risk of losing that sheild to whatever means the law enforcement community can leverage without crossing the line of legality.

    Realize that law enforcement has always had rights to mitigate a citizen's privacy AS LONG AS DUE PROCESS HAS BEEN FOLLOWED. This is an inherent requirement to do their job, and, knowing the restrictions placed on them, I think that almost all of the time that ethic is upheld. (There will always be screw-ups, but those responsible are held to their actions.)

    One interesting question is, how far can they go to "mitigate a citizen's privacy"? This case shows that they can go so far as to "bug" my keyboard to obtain my PGP passphrase.

    How much longer before they follow the lead of the U.K. and have the ability to imprision me for refusing to provide my cryptographic key.

    Where does the 4th amendment end and the 5th amendment begin?

  • by Gregoyle (122532) on Wednesday December 06, 2000 @06:02AM (#579336)
    First of all; some people on slashdot are saying that bugging the keyboard buffer constitutes a wiretap. After looking into it, I find that I agree. The only possible way of getting the information to the bug device is by tapping electronic wires, even though they are between the keyboard port and the motherboard rather than between houses. However, the court order spcifically allowed for using hardware and/or software means to surveil the computer. I think the only way to figh this would be to fight the court order, because a simple search warrant should not legally cover such surveillance. Let me restate that I think the FBI did act within the bounds of the law, just that I think the law as defined by the courts, but also that the law was misinterpretted by the courts.

    On to my second, completely different point. There are three ways for the government to retrieve the information stored in the bug.

    1. Leave it in the computer and retrieve it later with a search warrant. They did not seem to do this, although it may have been the best idea for them. One problem with this method would be if the bug detector was discovered in any way, they would have no data at all, rather than just a halt in the stream. Also, he may destroy the computer upon getting searched (a mor likely problem).

    2. Broadcast it over the Internet. Not likely at all. If this guy was "computer literate" as the article says, he would be monitoring all ports into and out of his system, and would almost have to be using NT, Linux or a BSD (to support encrypted filesystems, unless he went with the whole route of no-swap (info is never stored on disk), which I'm not sure can be impleneted in windows 9x). So this would be a dumb methd, too. 3. Radio. They can send the information out over radio waves. This would allow for a stream of information that would still be evidence even if it were interrupted. The thing with this is that what kind of organized crime don does not use a bug detector?!? They are not expensive, and monitor almost all frequencies commonly used by bugs. The only way around this would be burts transmission, which the article does hint at.

    To top it off, you can't think a computer is unbugged unless it never leaves your side (or the side of someone you trust; trust is as necessary in this kind of security as in encryption). Oh well, this post will never get read because it is now at the bottom of a heap of posts, and moderators never browse newest first. Blah.

  • by aozilla (133143) on Tuesday December 05, 2000 @10:13PM (#579337) Homepage
    Besides, I bet there's not one person reading this who hasn't done anything illegal. Let's forget for a moment traffic offenses and focuse on criminal ones. Did you ever smoke before you were 18? Drink before you were 21? Use an illegal drug? Sneak into a movie theatre without paying? Eat a grape in the supermarket? Commit a drive-by shooting? Did you pay for Netscape after the trial period? How about Winzip? How about winamp, before AOL made it free? Do you own any mp3s that you haven't gotten permission from the copyright owner for? Ever make a copy of a videotape without permission from the copyright owner? Did you ever use RSA for commercial purposes (such as at work) before the patent expired without paying? Did you put in your real information when you obtained a licence to use Real Player? Ever participate in a super bowl pool? Ever install a copy of software you weren't legally licensed to install (including shareware after the trial period had expired)? Have you ever mutilated a U.S. coin? Do you report all items that you've bought over the internet or in another state but not paid sales tax on your state income tax? Have you ever fudged a number on any of your income taxes?

    Have you ever knowingly allowed someone to do any of these things, and therefore been guilty as a co-conspiritor?

    Now, assuming that you have done at least one of these things, should you have gone to jail? On the other hand, if you haven't done any of these things, and think you've never done anything illegal in your life (including knowingly allowing others to do illegal things), I'd like to hear from you.
  • by TheGratefulNet (143330) on Wednesday December 06, 2000 @04:55AM (#579338)
    Get the wrong people mad at you, and you too may find out that government agents have added some tiny components to your computer...

    lessee...

    # depmod -a

    # modprobe \*

    [dmesg] "unknown keyboard device found - driver not loaded. continuing."

    aah - thanks linux! I knew you'd save my butt someday.

    --

  • by -Harlequin- (169395) on Wednesday December 06, 2000 @01:23AM (#579339)
    So ask yourself, which is more important to you, seeing mob bosses, terrorists, and child pornographers get caught before they can hurt
    anybody, or protecting yourself from having some FBI bureaucrat reading over your shopping list?


    I think that's kind of naive. Have you ever actually spoken to an innocent person who got f*cked over by people abusing their powers? A lot of the people doing this surveillence live in a twisted little paranoid world where they see guns in every shadow of innocent activity, and they sometimes act on these innocent things in ways that level headed people wouldn't. And if the law doesn't protect you from such violation of rights, (which it often doesn't) you can kiss your way of life goodbye.

    Sure, there are more criminals having their rights abused than there are innocent parties, and we all know that criminals are, like terrorists, 2d cardboard cutouts whose sole motivation in life is to hurt us and so we should hurt them back, but every erosion of privacy is individually justifiable. The problem is that the next thing you know, you'll have bad cops raking in the $$$ selling your business secrets to your competitors, your unlisted phone number to tele-marketers, your spending details to advertising consultants, and if you try to raise a fuss, they'll deny everything, stop you dead in your tracks with National Security, and you'll be a laughing stock in your community forever for making such paranoid wacko claims.

    It's an exotic threat next to having a car drive into you on your way home from work tommorow, and perhaps not as deserving of as much worry, but that doesn't mean we should just lie back and let it happen.

    Abuse of power is real. Just because it hasn't happened to you doesn't mean it doesn't happen.
  • by -Harlequin- (169395) on Wednesday December 06, 2000 @01:50AM (#579340)
    Of course, it's more difficult when 99 percent of the people you communicate with do not

    I had that problem. And even bigger problem though was that all the cryptography programs and sites I found were aimed at advanced users who were already familiar with crypto. It was an inpenetrable wall.

    Perhaps I was looking in the wrong places, but someone needs to make an ultra-dumbed down installer that could let your grandmother start using crypto. Then we'll be getting somewhere.
  • by blameless (203912) on Wednesday December 06, 2000 @05:28AM (#579341)
    Why not have a PDA-sized unit with PGP installed as firmware. You could keep your key on a flash-memory card in your wallet. The unit would never need to leave your person. Enter the plaintext, the unit encrypts it, upload the encrypted message your computer.
  • by baldeep (213585) on Tuesday December 05, 2000 @08:07PM (#579342)
    Since when is a microcontroller and a battery cutting edge? I want to know what about this keystroke recorder is so freakin' high tech that they can't even talk about it.
  • by Lazarus Short (248042) on Tuesday December 05, 2000 @08:04PM (#579343) Homepage
    Now, I know that a lot of people around here are going to go off and start screaming about having your rights violated, but the fact of the matter is that the FBI had a court order here! They had every right to tap this guy's computer.

    If the FBI couldn't do things like this, they'd have no power to enforce the laws of this country, we'd have total anarchy, and having someone monitor your keystrokes would be the least of your problems!

    So ask yourself, which is more important to you, seeing mob bosses, terrorists, and child pornographers get caught before they can hurt anybody, or protecting yourself from having some FBI bureaucrat reading over your shopping list?

    --
  • by isaac (2852) on Tuesday December 05, 2000 @08:52PM (#579344)
    Remember kids, your keystroke logger records EVERY keystroke. Typed out a phrase that might be a little too strong, but then thought better and erased it? Logged. No opportunity for revision, as soon as you press the key the FIRST time, the event is recorded, even if it was never saved to a file/sent in email/sent in chat.

    You could type "I accept suitcases full of cash in exchange for contraband" at a random and inappropriate time, and it would be logged, even though your sentiment was not reflected in any saved file or communication.

    Creepy, when you think about it. How many times have I thought better of saying something in chat or email, for fear of it being interpreted the wrong way, and erased it before sending? More than a few times, anyways. If my employer or my gov't had tapped those messages at the keystroke level, I might as well have sent them the moment I typed them. Ugh.

    -Isaac

  • by Daffy Duck (17350) on Tuesday December 05, 2000 @10:06PM (#579345) Homepage
    It seems to me that this tale shoots down the government's primary argument for trying to restrict the public's use of cryptography. Their battle cry has been "we must be given the crypto keys, otherwise we won't be able to conduct the sort of wiretaps we've gotten used to". But as this story demonstrates, they can still conduct wiretaps the same way they always have - by physically going out and tapping some wires. Bravo, FBI boys!
  • by goingware (85213) on Wednesday December 06, 2000 @02:54AM (#579346) Homepage
    Well here's some security tips for you.

    Research what laptop will run Linux real well.

    Get some cash together and drive to a distant city and buy a laptop right off the store shelves. There won't be a chance for anyone to plant a bug in it.

    Wipe the hard drive and install Linux on it. Install the Linux encrypting kernel [kerneli.org] and keep all your real files on an encrypted volume.

    Install Tripwire [tripwire.org] on the machine - it verifies the integrity of important files to be sure they aren't patched.

    Learn how to administrate your machine effectively. Always log in as a non-priveliged user and never become root unless you really need to.

    Learn about security and tighten down your machine. If you care about security on your laptop you're not going to be running a webserver but I bet a lot of you are running both Apache and SAMBA on a standalone user machine without even knowing it. The more services that are disabled the less anyone can screw with it, even on a non-networked machine.

    Don't ever let the machine leave your sight. If you have to put it away, lock it in a safe. Do something to the safe that will enable you to tell if someone's blackbagged you - something like the trick of wedging a matchstick in your door when you leave, but something more concealed. If you find the matchstick on the ground when you return, someone's opened your door.

    Best of all don't use a computer for anything of real importance. You can find out why you shouldn't by reading The Forum on Risks to the Public in Computers and Related Systems [ncl.ac.uk] for a while.


    Michael D. Crawford
    GoingWare Inc

  • by Nonesuch (90847) <nonesuch@@@msg...net> on Tuesday December 05, 2000 @09:12PM (#579347) Homepage Journal
    It's not just a question of whether you have done anything illegal.

    Perhaps you hold political opinions that are unpopular with the current administration. Maybe you have your local mayor upset at you for campaigning against him last election. Maybe you are a journalist who has published stories that upset the FBI. Perhaps your ex-girlfriend has taken a job in the local field office.

    Get the wrong people mad at you, and you too may find out that government agents have added some tiny components to your computer...

    When the sources for your news stories are found dead from a "self inflicted" park in Washington

    When you lose every project you bid on to competitors who underbid you by exactly 3%

    When the conservative christian boss of your same-sex lover "somehow" gets a copy of your last mash note.

    When somebody says "If you aren't guilty of any crimes, you have nothing to fear", remember it's not question of whether you are guilty of crimes against the law, it's not a question of paranoia. The question is, have you committed a crime against somebody else's god, have you done anything that somebody else wishes was against the law, is there anybody who would benefit from hrting you?

    If the answer is "yes" to any of the above, then you do have something to fear from this sort of "wiretap" activity.

  • by www.sorehands.com (142825) on Tuesday December 05, 2000 @08:16PM (#579348) Homepage
    As one person mentioned, a court order was done to permit this.

    The article missed one important point -- they were intercepting communications!. Even though it's from keyboard to computer, it's still communications over a wire (unless via a IR port). If it's software instead of a hardware unit, it is still intercepting the keyboard messages as it gets passed through the message queue (and windows). And if it was not authorized, it would be a federal crime of unathorized access to a computer.

  • by slashfucker (259972) on Tuesday December 05, 2000 @08:48PM (#579349) Homepage Journal
    i hope you're not serious, because you mangled the FUCK out of that quote. There is a great deal of confusion about who said that quotation, and how. The main consensus is that it was either Ben Franklin or Thomas Jefferson. Here are a few examples from around the net of how people attribute that quote:

    Benjamin Franklin
    "Those who would sacrifice liberty for safety deserve neither"
    "Those who would sacrifice essential liberty for temporary safety deserve neither."
    "Those that would sacrifice liberty to obtain a little temporary safety deserve neither liberty nor safety"
    "Those who will sacrifice vigilance for liberty deserve neither."
    "Those who would sacrifice essential liberties for a little temporary safety deserve neither liberty nor safety."
    "Those who would sacrifice liberty for security deserve neither liberty nor security."

    Thomas Jefferson
    "Those who would sacrifice Freedom to gain Security, will not have, nor do they deserve, either."
    "Those who are willing to sacrifice freedom for safety, deserve neither."
    "A man that would sacrifice his freedom for security deserves neither."
    "Those who would sacrifice a little freedom in exchange for security will have neither."

    So who actually said it? Drum Roll please...

    Charles Louis de Secundat, the Baron of Montesquieu, or Montesquieu for short. In 1774, the ideological father of the Constitution wrote:

    "A man that would sacrifice his freedom for security deserves neither.
    The God who gave us life gave us liberty at the same time."
    -Montesquieu, The Rights of British America
    So you are all obviously a bunch of cunts.

    Love,Slashfucker

  • by Seumas (6865) on Tuesday December 05, 2000 @08:06PM (#579350)
    Everyone should be using encryption for as much as they possibly can. When it is realized that 99.999 percent of decrypted information is fluff and noise, it'll be too much of an effort to process every bit of encrypted data. Otherwise, encrypting selectively is just like holding up a giant flag saying "read this!".

    Of course, it's more difficult when 99 percent of the people you communicate with do not -- either because of lack of initiative, understanding or capability, use encryption and wouldn't know or care what to do with the encrypted information you send them.
    ---
    seumas.com

  • by geophile (16995) <jao AT geophile DOT com> on Tuesday December 05, 2000 @08:17PM (#579351) Homepage
    So ask yourself, which is more important to you, seeing mob bosses, terrorists, and child pornographers get caught before they can hurt anybody, or protecting yourself from having some FBI bureaucrat reading over your shopping list?

    I think you're serious, so here's my answer: It is more important to me to protect myself from having FBI agents (not bureaucrats, agents) reading my shopping list, my political manifestos, my notes on how to protect myself from script kiddies (proof positive that I'm a hacker, after all), and my (probably) fictional account of Dubya and Jim Baker exchanging bodily fluids (not intended for publication).

    The FBI has proven that it is not above using its power for political purposes.

    If the FBI were not free to violate the 4th amendment, we wouldn't have anarchy -- we'd simply have a tolerable FBI. Do you really believe they'd have (your words) no power if they had to respect the 4th amendment?

  • by CaptainCarrot (84625) on Tuesday December 05, 2000 @09:18PM (#579352)
    I'm far more comfortable with this sort of approach, where a single individual is monitored after law enforcement officials go through appropriate due process, than I could ever be with something like Carnivore which, with a slip of the configuration file, can indiscriminately intercept communications from anyone on the network.

    This isn't really any different than what the FBI goes through to put a tap on the telephone line. When they're going after organized crime, this sort of thing is both necessary and proper -- as long as it is governed by due process of law and nobody's privacy is needlessly invaded.

  • by goingware (85213) on Tuesday December 05, 2000 @10:14PM (#579353) Homepage
    While I guess this goes to show that it's not unbreakable (do you keep your laptop in a safe at night?) I think in general it gives good motivation for why you should read my page:

    Why You Should Use Encryption [goingware.com]

    In the article, I try to discuss in as approachable and as convincing a way as I can why everyone, even your mom, even your kids should use cryptography.


    Michael D. Crawford
    GoingWare Inc

  • by goingware (85213) on Tuesday December 05, 2000 @10:28PM (#579354) Homepage
    By the way, my very first commercial product was Last Resort [webcom.com], a keystroke recorder from Working Software [working.com].

    It ran in only 8 kb of memory and we specifically advertised that it would capture:

    • Text that was backspaced over
    • Text that was typed and then highlighted and deleted
    • Text that was typed and never saved
    • Text that was saved but lost due to file corruption or accidental file deletion
    It would save everything, even your backspace characters. You could use those to help you reconstruct your file.

    Last Resort Programmer's edition will save menu key equivalents to aid testing and debugging and tech support. It helps you reconstruct the sequence of events before a crash.

    And yes it would capture passwords but we had the option to pause it or disable it entirely.

    I wrote the Mac version but it's available also for DOS and Windows (written by other guys).

    Although we tried to make it very obvious when Last Resort was installed on a machine, we get occasional email from people asking how they can make it invisible. We don't tell them, but really if you want to make a hidden keystroke recorder it's pretty trivial.

    Don't just worry about the FBI doing this to you - worry about your employer or loved ones. Not long after I shipped Last Resort, one of the editors of MacUser Magazine thanked me personally for it because he'd caught his girlfriend having an online affair - her hot and heavy emails were in his keystroke file.

    He later wrote a novel that talked about a lot of software products with fictional names but that were obviously taken from real products. I'm proud to say that the faux-Last Resort saved the world in his novel.

    Also I get occassional spam from companies selling keystroke recorders that aren't just invisible, but they encrypt the keystroke files and upload them to a location of your choice. They say this is meant for employee monitoring...

    Such monitoring, by the way, has been held to be legal by the courts.


    Michael D. Crawford
    GoingWare Inc

  • by GMontag451 (230904) on Tuesday December 05, 2000 @09:31PM (#579355) Homepage
    This is America! You aren't going to be persecuted for harboring seditious ideas.

    Someone doesn't know his history very well. Every time this country has been in conflict with another country in the past 100 years or so, people with anti-government sentiments, or even people with backgrounds that might lead to anti-government sentiment have been rounded up and put into prison, internment camps, etc.

    Witness the most recent example, internment camps for the Japanese and Italians during world war 2. This was the cause of a direct exectuive order! Or how about all the people arrested during WWI and the period right after for being communist. There was even a law passed by Congress saying they could! Look up the Alien and Sedition Acts.

    So next time you just blindly assume that because we are in America, we actually have rights and crap, think a little harder.

  • The SCARIEST part of the whole thing is:

    FBI attorney: The suspect uses something called PGP, which prevents us from viewing his email and, combined with other evidence we have gathered while surveiling him, constitutes probable cause that he is using his computer for legal activity.

    Judge: Okay, go get 'im.

    Software does not equal intent. Not with PGP, not with Napster, etc.

You can do this in a number of ways. IBM chose to do all of them. Why do you find that funny? -- D. Taylor, Computer Science 350

Working...