FBI Files Brief on Scarfo Keylogger

Firewort writes: "In an affidavit (warning, it's a PDF) filed with a federal court in New Jersey, the FBI has disclosed some of the details of a controversial "key logger system" used to obtain the encryption password of a criminal suspect. They go into great detail describing PGP and the different methods they might have used to keystroke-log Scarfo to get his encryption key." Interesting, and more technically sophisticated than the basic keyloggers which grab keystrokes indiscriminately.

warrant

[djtech]

As long as they have a warrant I think this should be legal for them to do. In a few years it will be obsolete since we'll have bio-interfaces to our computers. Lets see them tap into that without us knowing!

A simple keystroke logger can be elegant, too

[adx200]

It's important to note the fact that it doesn't log all keystrokes for 2 reasons:

1) It's impressive. Less keystrokes logged that could be potential passwords, the less manpower required to examine the logs.

2) It leaves potential exploits open for crypto software writers and users in order to trick keystroke loggers into passing them over without recording the activity.

On another note, Bruce Schneier has always reminded people that a secure system always includes at least 2 out of three things: Something you know (password), something you have (ATM card), or something you are (biometrics, fingerprint).

My point is that ...
Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password. Or, the person could just always keep the password key on a CD-ROM that they physically take with them and can destroy at a moment's notice.

Re:Doesn't it seem strange

[Ravensfire]

Why would this be strange? Most agents know pretty well what they can, and cannot get away with. The FBI, given some of the problems of the past, is doing what they can to NOT lose a case over a technicality. So creating a tool that allows them to capture only the information they have a court order for is an excellent idea from the FBI. If they got everything, found some new evidence from that illegally acquired information, it would probably get tossed out of court, along with the case (fruit of a poisoned tree).

A law enforcement agency, creating a tool that is designed to operate within a limited court order - shouldn't we be at least somewhat positive of this?

Re:For a second there...

[eXtro]

I don't agree with that sentiment at all. The rights that we take for granted and which many people presently are ready to concede have been earned through the blood of our ancestors.

Five or six thousand people died in the attacks on the World Trade Center and the Pentagon. It is a horrid tragedy and I would never try to minimize it, but it pales to the number of people who have died [lsu.edu] defending democracy. In three of these defining wars, as tabulated below, there were over 350,000 deaths.

Revolutionary war: 4425
World War I: 53513
World War II: 292131
Total: 350069

This only includes those killed in action or dead from wounds and doesn't include prisoners of war. It seems tremendously disrespectful to those who died creating or defending this country to relenquish our rights, rights earned through their deaths, so easily.

There are also 40,000 deaths per year in the US [cdc.gov], not through terrorism, but through automobile accidents. Would you also suggest that for safeties sake we ban the automobile?

Re:A simple keystroke logger can be elegant, too

[macsforever2001]

Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password.

This wouldn't stop the FBI. They could obviously take his fingerprint and probably make some kind of cast based on that to replicate it. A swipe card could be subpoenaed in court too.

Re:More keyboard logging

[gweihir]

P.S.: I think part of these "we (could) have broken" statements are also a smokescreen that is intended to make people not bother with encryption, because "they can break it anyway".

Would not be the first diversion with that purpose: If you cannot defeat it, undermine its credibility.

Interesting.

[jd]

"They go into a lot of detail on the methods they could be using".

THIS is an interesting little statement. It says nothing about what they DID use, merely what they COULD have used. And since it's probably not an exhaustive list, the actual method(s) used may or may not be contained within it.

It's important to not assume that the FBI are being malicious in what they've put in this brief, but it's equally important to verify what is being said. The FBI are not the most open organization in the world, and it would be erronious to assume that a court filing will be any more open than anything else they publish.

Re:Fake "real" keyboard, then USB??? bwahahahar!

[AlgUSF]

Yeah, if he new they installed the logger. The kicker in this situation was they installed it with out his knowledge....

Re:Interesting.

[NeoTron]

Indeed - if any agency openly published their methods, then eheh, well, isn't that like giving criminals a "how NOT to get caught" manual? :)

Solution: Chargen

[Ted V]

Just use the windows character generator. When you need to enter a password, click it into the windows character generator and copy the resulting string and paste it later. No keyboard interface is ever required.

Of course, then you're vulnerable to those things which remotely view monitors (Van-eckman scanners?). But I suppose if you're really paranoid about something like this, you would actually search for a keyboard logger first and put 3 other monitors nearby to create interference. So I guess it's all academic.

-Ted

A peril of open source

[eldurbarn]

Assuming that the version of PGP that was in use was one of the "source available" versions, why didn't the FBI simply alter the passphrase dialog code to store a plaintext version of the passphrase someplace on disk? All they'd need to do is re-install that portion of the application, and hope that the "bad guy" didn't do regular PGP sig/checksum comparisons against his installed programs (and how many of us do that?)

Re:A simple keystroke logger can be elegant, too

[Sloppy]

Keystroke loggers could be rendered ineffectual if the crypto software used was also hooked to a fingerprint scanner or a swipe card reader in addition to a password.

Attack: Insert a logger in between the computer and the device that reads cards/fingerprint etc.

Interface between computer and something thought to be personally secure (the person, or a smart key he carries, etc) must be resistant to MITM and logging attacks.

Re:Scarfo's Password

[Joe Decker]

D'oh. You almost have to ding the FBI for not trying that one. :)

Still, if the FBI really went to that much trouble to do keylogging software that doesn't capture when the com ports are active, I have to admire their dedication to the letter of the law.

Re:A simple keystroke logger can be elegant, too

[Cid Highwind]

It's impossible. Every concievable identification device must interface with the computer at some point, and be exposed to the user at another. Any method of input is vulnerable to a sufficiently motivated and wealthy advisary (eg the US/Russian/Chinese government, Microsoft, the Catholic church, or whoever). The point to remember is physical access to the hardware trumps any computer security measures.

If you want to be really paranoid, check your computer every few days. Look for dongles or adapters you don't remember putting on. Use keyboard cables without ferrites, they could be replaced with a keylogger. Epoxy over the heads of your keyboard screws. Look inside the computer case, see if anything has been added or moved. Then, if you find a key logger, fill up it's entire memory with "h4h4! j00 5ux0r!!" ^_^

Re:A peril of open source

[libertynews]

From the document it sounded like they were concerned about multiple layers or methods of encryption. Replacing PGP with a trojan version would have only provided them with one step of the process.

modem??? NETWORK!!!

[Fuzzums]

My computer is permanently commected to the internet or 'communicating' by the means of a netword-card. i think the difference in function between a modem and a network card is tuite small. so sollowing the line of thought: is my network card is functioning, it's not allowed to grab keys :)

sim-ple.