FBI Bugs Keyboard of PGP-Using Alleged Mafioso 301
Sacrifice writes "The Philadelphia Inquirer reports on a criminal case which will challenge the authority of courts to permit FBI agents to surreptitiously plant keystroke-monitoring bugs, which are not regulated by current federal wiretap legislation. Also, David Sobel from EPIC notes that it is now a matter of record that the FBI can, and does, conduct surreptitious entries to counter the use of encryption (see FBI application for breakin and the court order granting permission)."
I'm a victim; "erotic training" is a vicious lie (Score:1)
Thank you very much. Please extend my thanks to the pedo community on behalf of all us victims.
BTW, the illogic in your statements is frightening:
- Being a member of a minority group doesn't automatically make you normal, whether you're pedo, Neo-Nazi, or worship Godzilla.
- You're projecting your repression onto us. We don't think sex is 'inherently harmful' as you put it.
- Don't confuse a subset with a superset. I would never (as you suggest) misuse the word 'pedophile' to mean a rapist or murderer, but I could easily use 'rapist' or 'murderer' to describe specific pedophiles.
- Sexual contact with adults is neither the only way, nor the healthiest way, to educate children about sex.
I'd like to believe you're just pathetically misguided, but we both know better. Pedo organizations work hard to pollute the public discourse on sex. Thanks for giving the Slashdot crowd a valuable example of the tradeoffs of free speech. While you're at it, why not make Mein Kampf required reading for all fourth graders.Re:Get worked up! (Score:1)
> This is America! You aren't going to be persecuted for harboring seditious ideas.
> Again, you're being paranoid. If you haven't done anything illegal, you have nothing to hide.
Which America are you living in? 'Cause in my America, prosecutors use purchases of serial cables as evidence in hacker trials, and police crack down on every major public demonstration to prevent people from expressing views the government doesn't want to hear.
It's naive to say that if you haven't done anything illegal, you don't have anything to worry about. Even if you're innocent, having to defend yourself against accusations in court can cause you tremendous emotional trauma, disrupt your personal and work life, and cripple you financially with legal expenses.
Re:What's wrong with pictures of children??? (Score:1)
Ah. Having been a minor not so long ago, I am quite familiar with the 'rights are only for adults' meme.
What would you suggest as an age of consent?
Hard to decipher keystrokes (Score:2)
[FBI] Your honor, our best cryptographers have struggled with this for 5 months, using elaborate supercomputer analysis, and couldn't crack the code. It must be an incredibly well-crafted keystroke encoding, requiring extreme training to use at the speed it was typed.
[Judge] Defendant, can you tell us what it is?
[Hacker] Yeah sure, I was playing Quake for 3 hours.
Re:You are naive. (Score:2)
--
"Don't trolls get tired?"
A real judge would ask (Score:2)
And how do you know the suspect is using PGP since you do not have a warrent for wiretapping. If they have a warrent to do wire tapper, lawfully and correctly obtained (even if it turns out to be based on what turns out to be a false lead), then they should be able to bug the keyboard. Otherwise they do not have that right.
Suspicious activity is not reason for a warrent, unless a crime has been comitted. Planning to comit a crime is not a crime, but commiting the crime is. (And when a plan can be shown then the crime is generaly greater)
Re:OS independent (Score:2)
Conspiracy theory (Score:2)
Interesting... but then they would only have to say that they've tapped the keyboard, present the decrypted data, confiscate the system for evidence, and then, maybe, install the keyboard monitor.
Re:Get worked up! (Score:2)
Think about it.
Re:Calm Down! (Score:2)
Perhaps into the palm desktop to sync, but just to print out, I mean, come on... And if you can sit down and type it in one sitting do you really need the list?
Re:Please Read "Why You Should Use Encryption" (Score:2)
I guess it's enough to just never turn it off, and when you're not physically close, run a screensaver lock. While not guaranteed to work against everything (but what is?) it's rather doubtful that trying to patch such a device on wires of a running computer wouldn't create a system lockup, at the very least. In such event, when you come back and see your system rebooted or locked up, you know something has been wrong and you can examine your drivers, weigh your computer and so on (in the order of increasing paranoia)
> Why You Should Use Encryption
On the other hand, you might read the Brin's book, "Transparent Society", on why everybody should have a right to spy on everybody else. Or read his essays on this topic at www.kithrup.com
Plug and play keyboard sniffer (Score:2)
I don't condone the use of such a tool, but people should be aware that this stuff is readily available.
regards,
Heiko
Re:There Has To Be A Way (Score:2)
Of course, another cool tool would be something that would generate random crap when your computer is idle so that when the little bug tries to upload data to its home -- all they get is about 80 words and 1,999,980 random keystrokes.
---
seumas.com
Re:Get worked up! (Score:2)
Pardon me, but please let *me* decide if I want to hide my personal life from the state or not. Or better yet, please respect others right to keep their personal life to themselves.
There is no law that protects my right to a private conversation to my brother, but it is a right I'm not ready to give up. I'd rather see 100 criminals walking free than my rights to private life taken away.
--
Why pay for drugs when you can get Linux for free ?
Re:The one problem with this. (Score:2)
Re:There Has To Be A Way (Score:2)
Spies in sandcastles shouldn't throw waterballoons (Score:2)
Re:There Has To Be A Way (Score:2)
Even so, opening up a nonstandard keyboard and putting in a bug that somehow integrates with it, takes a hell of a lot more effort/time/risk than sticking a ready-made inline PS/2 adapter. One can be done with a quick breakin and 20 seconds of work, the other takes a recon pass breakin to see what kind of keyboard it is, research on how to bug it, and then a good amount of time onsite to install the mod. A lot more work for your FBI / Industrial Spies / Blackmailer to do.
A crypto keyboard is a good idea.
---
Thoughts... (Score:2)
Kevin Fox
True. (Score:2)
They can no more tap your phone without an order than hack your box without an order.... I don't see what the big deal is here.
And... (Score:2)
No. The fibbies do NOT have to leave a copy of the warrant on the scene; this wasn't a search warrant, this was an order to do surveilance.
Re:How this seems to read to me.... (Score:2)
Also, if you are not at all expecting someone to have planted a keystroke monitor on your computer, how would you detect it even if it was software? I mean, you might not even LOOK. And to boot, especially if it's windows, it may be far from obvious.
*combined*. (Score:2)
They did not say 'pgp makes him guilty'. They said that, in addition to everything else he does, it's probably cause.
Having a crowbar does not make you a thief. Being viewed purchasing tools that are also associated with break&enter crimes, as well as having other evidence that seems to point to a life of crime WOULD be probable cause to think you are committing a crime.
Get off the high horse.
Software + OTHER STUFF = probable cause is NOT the same thing as
SOFTWARE = INTENT.
Typewriter Ribbons (Score:2)
Typewriter ribbons and carbon paper have been used as a source of text [asqde.org] during investigations for decades (plastic or film ribbons since 1959). The FBI teaches ribbon examination [fbi.gov]. There are cases [tcbd.com] with ribbons as evidence [state.mn.us].
Re:Why they need your keystokes (Score:2)
gnupg wouldn't page the memory to disk.
It uses mlock
Re:Please Read "Why You Should Use Encryption" (Score:2)
Re:You are naive. (Score:2)
Prehaps you happen to know about questional activities by people in "authority".
Re:You are sick (Score:2)
How is this going to happen, at least one of the companies concerned survived having an atomic bomb dropped on one of their facilities.
Re:Get worked up! (Score:2)
So much for the much trumpeted written constitution.
Re:Get worked up! (Score:2)
There must be easier ways to test if the telephone system in Florida needs upgrading
And yet more reason --- (Score:2)
----
Re:This is GOOD news for crypto enthusiasts (Score:2)
If the DNC offices at the Watergate could have been bugged by pushing a button in the White House while G. Gordon Liddy took a nap at home, we probably would not know about it to this day....
/.
How to defeat... (Score:2)
At least not in the normal sense...
First off, since they are doing a B&E to set it all up (heck, even with a warrant you should do this), first make sure you set up some kind of ultra-secret hidden cam recording movement (hide it in the ceiling or wall - use a pinhole type camera, mount it to NEW wallboard right over a pinhole, then mount the new wallboard. Break up the wall with pictures, wall hangings, carpet). Don't tell anyone about it. This will let you know if something hinky is going on.
Next, since they are likely tapping one or more of four spots (the keyboard, the interconnecting cable, the motherboard connection, or OS hooks with a software logger), you need a way to bypass these. A good way would be to build a simple encrypting keyboard (or even a complex one), and a special card for the PC, and drivers to read it.
Another way would be to set up a serial console to do everything from - use a funky terminal not in great production anymore (a real VT100 or ADDS, or something similar - Olliveti?). Perhaps you can encrypt the serial comms as well. Maybe set up UltraTerm on a CoCo 3, serialized over the RS-232 pack to the console serial port on the box (that should confound them!).
Use an optical keyboard, with custom "encryption", perhaps. Mark your keyboard with an identifying mark. Put a seal on the keyboard, or over screw holes to detect "modification". Same with the case. Add locks to the case. Add an alarm.
Here is a funky idea - set up the "computer" to be a dummy with an alarm (or other nastiness), into which the keyboard is plugged into. Using cat-5 and a "dummy" network card, route that out to another "dummy" network card in the real computer, with that dummy card hooked up to the keyboard header of the real machine (thus the actual machine looks like it hasn't got a keyboard attached). Set up a current monitor to notice drops in current on the keyboard "port", with alarms and such to notify you.
Here is one - rewire the keyboard port and keyboard (and any interconnecting devices - keyboard switchers/extenders might need to be taken into account). Swap the wires and connections around (might be a pain at the motherboard end). Done clean and right, it would be a mess for them to sort out *on site* - heck, they might not even notice it (think they do wire tracing to make sure the keyboard is standard - perhaps, perhaps not). Maybe even use completely non-standard connectors. Maybe go so far as installing a non-standard (keyboard wise) microcontroller in the keyboard, with custom coding (combine this with the other tips, like "encryption" and such - one hell of a hack).
Do I really think any of these would stop the FBI? Naw - but it would make their lives at least a bit more miserable. Perhaps it would confound them enough to make them come back later - given enough covert surveillance on your part, you could destroy the machine (or change it!) in the meantime...
Worldcom [worldcom.com] - Generation Duh!
What have I done? Nothing... (Score:2)
Considering all this - we should be more paranoid - not less. It seems every day I hear or read about something that convinces me further that we are falling into a police state form of government. Something has to be done. Today it wasn't me, tommorow it probably won't be either.
Someday it might be - better to be prepared now than wait until it is too late...
Worldcom [worldcom.com] - Generation Duh!
Re:What's wrong with pictures of children??? (Score:2)
the reasoning is probably something like this:
we don't want to create a market for child-pornography, since this would partially legitimise the making of child-pornography. by allowing the product, you encourage the producer. making a CGI of child pornography is probably to make it easier to apprehend the real sick bastards. a picture of a kid in the nude isn't child-pornography, btw. there must be a 'sexual act'. Otherwise, your mom would be a criminal for keeping all those baby-pics around (and showing them to your gf)
//rdj
Not according to legal definition. (Score:2)
Sorry. The only "communications" protected by the wiretap law is voice telephone conversations. "Commnuncations" between the keyboard and the computer are not included in that definition - nor are e-mail with other people, nor conversations with other machines.
The way the law currently works is that it is extended to protect new technologies - either by explicit legislation or by court precedent. So new forms of communication are UNprotected by default. Maybe you'd LIKE the default to be the other way, but in practice this is how it is.
By tapping communications on the the cutting edge tech, where no law has gone before, the FBI gets to spy until a court or the congress makes them stop.
World War 2 was not the most recent incident (Score:2)
Charlie Chaplin lived out his golden years in the south of France because of Mister McCarthy and his little campaign.
Not that this refutes your core argument in any fashion. But the old joke about the difference between being British and American is that the British think a hundred miles is a long way, and the Americans think a hundred years is a long time, is fitting here.
Some will see an example from the fifties as more compelling than one from the early forties, less able to shrug it off.
-
Re:What's wrong with pictures of children??? (Score:2)
Nope. Write consenting adults in there, and I'd agree. I'd also agree that there's no such thing as a consenting child, so having sex is impossible for a pedophile, but other than that, there really is no difference between hetro/homo/bi and pedo. That fact that some pedo's still have sex with kids is simply a legal matter, send them to jail, just like hetro/homo/bi who have non-consenting sex (or let's call it what it is, rape) with others.
Re:er.. (Score:2)
Re:Could be much worse (Score:2)
You need to see drivers too (Score:2)
With NT, you can hit ctrl-alt-delete and look at the processes. With *nix, you can do "ps".
But really you need a list of all the drivers that are active on the system, and on a modern OS there will be lots of them.
This is particularly pertinent to something like Linux because anything that's installed as a driver runs in the kernel and can basically do anything it wants. Is there even any user id boundaries for a driver, or does a driver effectively have root priveliges?
Really what you'd have to do is make a list of what is there when you get the system configured the way you like and then monitor for changes to this list.
BTW - a common security hole in a lot of Linux installations is that you should have all the kernel source owned by root and do the compile while logged in as root (don't run X as root - su in a shell window). That way no one can tamper with your modules.
If you build your modules as an ordinary user and install them, there's more of a possibility someone could overwrite them with a crack.
Michael D. Crawford
GoingWare Inc
Re:A real judge would ask (Score:2)
Think about it this way - if we have a conversation about poisons, and you know I am trying to get back at someone, you might assume that I intend on poisoning this person. But what if I am an author, and I need information about poison to make my book realistic? Or if I am researching for a thesis on the subject? Or if I am just interested in the subject?
Conspiracy should never be a charge without a hell of a lot of evidence that the crime was, indeed, about to take place. And if a crime takes place, that should be what is prosecuted. Conspiracy charges are another way to suspend liberties.
Re:Get worked up! (Score:2)
No, this is a game where the federal authorities get annoyed that you aren't doing anything wrong, so they find something unrelated to charge you with to justify their effort. Read the Hacker Crackdown (e-text is available online for free, and dead-tree-text is still in print AFAIK) if you want an extensive brief summary.
Re:er.. (Score:2)
eg1 )
FBI wants a search warrant. They tell the judge the current situation that Mr. S. Kiddie was found talking about hacking utils that were used in some major
How is this different from being suspected to have a gun that matches the description / make of the one that shot some guy? This person probably linked somewhat to the case, say, a neighbour or friend of the family? How, from a judges perspective, is this different from having the weapon "cracking util", and the link to the case "being one of those pesky internet hackers".
When a judge applies his knowlege and the constitution to something that was complety foreign during the time its conseption, there is bound to be a disrepencies here or there. Its simply just another situation where law is being misapplied to something that it was never thought to be under the juristiction at the time.
(excuse me bad speling plus gramar)
Why they need your keystokes (Score:2)
The FBI could obtain a search warrant for his computer and email messages, but this would only get them the encrypted messages, and the encrypted version of his decryption key.
The ability to "wiretap" his keyboard is the only way (short of torture, or taking several years to brute force the key) to obtain the "passphrase" that unlocks his encryption key, turning all of that meaningless random data into human-readable incriminating evidence.
Personally, I tear apart my PC every week or so (not solely from paranoia), and I think I'd notice any extra little boxes on the keyboard port.
Between that and keeping the machine in my hidden copper mesh closet with filtered DC-power and fiber-optic ethernet under 24-hour gaurd by a specially bred pack of mute doberman attack dogs, I'd say I'm fairly safe.
Just remember- always ground your faraday cage to a cold water pipe!4
Nah (Score:2)
Chances are they will enter the premises when you
arn't looking and either add some sort of transmitting dongle, or put the program on that way.
Another reason to use linux really... it would require them to actually break in. They would have to break into root to actually hide anything. (of course if they bring it up off a floppy - how will you know that it wasn't a power failure or failing power supply that brought it down and ruined the uptime?)
Of course, noone bothers to look but - you would be able to see a dongle. (Unless it was internal - which might require shutting the machine down anyway (my case can't be opened without unplugging it - due to power cord/desk arrangement)
-Steve
Re:Keystroke taps get EVERY keystroke, even pre-^H (Score:2)
Re:Calm Down! (Score:2)
I'm not trying to say that FBI having the ability to monitor people's keystrokes is a bad thing though. It is only a minor expansion to its already existing powers, most of which are in my opinion, necessary.
It is however, dangerous to use this type of thinking when deciding on an issue like letting someone take away people's rights.
How incriminating can my keystrokes really be? (Score:2)
-gerbik
What else is running? (Score:2)
Re:Get worked up! (Score:2)
Re:Get worked up! (Score:2)
Are you saying you've never done anything illegal?
Re:Why they need your keystokes (Score:2)
Re:Calm Down (no, I WILL NOT sign my rights away) (Score:2)
the old exuse of 'its for the good of all that we sacrifice some personal rights' just doesn't cut it. its the lamest one out there. don't accept it.
and besides, what have {mob bosses, terrorists, and child pornographers} ever done to YOU? personally, I'd trust these guys over the FBI any day.. at least they're up front and will tell you exactly what they want and how they're gonna get it. not quite so with the ultra-squirmy and above-the-law MenInBlack..
--
Re:Get worked up! (Score:2)
whew - I think I need to stop reading slashdot in the early AM hours. I could have sweared that you said:
put into prison, INTERNET camps...
actually, an INTERNET CAMP sounds kinda fun. maybe I'm just a no-life geek. yeah, that's it.
--
Re:Calm Down! (Score:2)
Totally agreed. The FBI clearly explains they want the warrant to get the guy's password, not so they can read his love notes. This is no different than the FBI drilling the lock to a safety deposit box with a search warrant, if you ask me.
Which brings me to my next point:
>Which is more important..
That is wrong, IMHO. For the same reasons it is wrong for an FBI agent to abuse his power to check out the family jewels in my safety deposit box for his amusement. Search warrants aren't to spy on items that make no litigious sense (and a shopping list is not good evidence unless it includes copious amounts of fertilizer and gasoline). They are to gather evidence against serious criminals.
I think there's a fine [undefined] line between protection and spying. Breaking the law defines that line.
Just my 2 cents.
Re:Get worked up! (Score:2)
In that case, you will support open ballots for all future elections? We can have everybody sign, date and address their ballot, then, if there is any question as to their intent, we can just call them up and ask them how they voted. And anyone who wants to know how anyone else voted can just request copies of the ballots through the freedom of information act.
Re:Get worked up! (Score:2)
Unfortunately, the real world doesn't work like that. It took the WTO protests to make it clear that vocal oppostion to globalisation was not sufficent grounds to label you a probable terrorist and have your home invaded.
Protesters aren't a good example in that a lot of people hate them with a vengence and think they deserve to have their rights violated, but protesters are good example in that they so clearly do have something to fear while often clearly having nothing to hide.
Re:The one problem with this. (Score:2)
"And finally Your Honour, we present as evidence the defendant's key, obtained from his home by the FBI" and now on public record.
If the MPAA's elite pack of lawyers can f*ck this one up (deCSS), I'm sure the FBI can manage it routinely
Re:Calm Down! (Score:2)
Of course it is. Look at the old Soviet Union. The Soviets prided themselves on having cities that were safe enough for women to walk around alone at night.
I think the police should have the right to enter your property at any time they see fit without a court order. That way we can rid this country of drugs, child pornography, weapons, "subversive" materials. After all, you shouldn't have anything to worry about if you haven't committed a crime.
Re:Calm Down! (Score:2)
Had you bothered to read the article, you would have noticed that it spent several paragraphs explaining that the FBI only had a search warrant. Furthermore, it explains that a traditional wiretap order requires a higher degree of approval (both the attorney general and the court) than a search warrant. In short, they bugged his computer when they would've been overstepping their legal authority to bug his phone.
Hold on- I've cracked it! (Score:2)
"killall netscape" perhaps
How this seems to read to me.... (Score:2)
FBI request : There's this bad mafia guy. We've got reasonable proof that he's doing Bad Things (tm). Instead of a phone tap, we'd like to do a computer tap to collect enough information to get him.
Court order : Yup, he's bad. Go get 'em.
That doesn't seem too crazy. What seems almost silly is that they ask for permission to install software, HARDWARE, and FIRMWARE?!?! Ok, anyone who can't tell well enough that someone has been messsing around with their boxen physically and put in new hardware shouldn't consider themselves very sneaky and need to get out of the Bad Things (tm) business. I mean it's like coming home and having a new random ceiling fan appear in your living room with a silver orb in the middle instead of a light globe(think mall security) and a mic for a pull cord. Duh!
As long as the FBI still have to get court orders that need to show reasonable proof you're doing something bad, I don't see privacy issues getting too bad. It's just when they're allowed to have manufacturers install hardware to transmit everything you do to a data base to try an filter out what illegal activity might be going on (be wary those adopting wireless LANs)that I'll get somewhat worried.
Wire Tapping vs. Key Stroke Monitoring (Score:2)
I think that key-stoke monitoring needs to be at least as protected as wire-tapping by laws.
Well now, this is interesting... (Score:2)
Re:Calm Down! (Score:2)
What's more, I saw some very interesting statistics just the other day (Of course, I can't find the link now!), that showed a very dramatic reduction in certain types of violent crimes that began shortly after Hoover took charge, and ended again just as he left. So, it's pretty clear that in the end, government nosiness is a good thing. Think about it.
--
Re:Get worked up! (Score:2)
--
Re:Calm Down! -- Carnivore & Other FBI Stories (Score:3)
"notable for its lack of evidence" [washington...center.org]
"a secret court made up of anonymous judges" [mediafilter.org]
"secret permission can be obtained to break in and tape conversations without Fourth Amendment guarantees" [shepherd-express.com]
In this example, the FBI had a court order -- a secret court order -- giving them every right to tap these guys' lives.
Your slippery slope argument of total anarchy resulting from the FBI not being allowed to invade the privacy of U.S. citiznes is ridiculous.
I am a lot more concerned about the FBI reading my personal files and deciding I'm a criminal and the consequences of that than any "mafioso", child pornographer, or terrorist. Unlike the latter group of "criminal" elements, the FBI is actually in a position of power such that it can destroy my life if the FBI so chooses.
Yes there is a law about your prive conversation (Score:3)
Amendment IX
The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.
I can secure my papers against unreasonable searches and seizures. Email is just modern paper. If I send it to my brother I can secure it.
Not all rights are mentioned in the bill of rights, as the document specificly allows, which are despite not the lack of mention still retained by the people. Thus the right to private converstation, or for that matter privacy itself is still a right even if not mentioned.
The US goverment is not given right to take away those rights.
Hey... (Score:3)
What bothers me is that the FBI doesn't seem to want to have to bother with warrants. They want to be able to just tap at will (as evidenced by previous attempts at laws to get the ability to search without a warrant), and that's just plain wrong. They've forgotten that there are more important aspects to the law than enforcing it; the law is there to protect the people from others... including law enforcement.
----------
There Has To Be A Way (Score:3)
Just a thought. Maybe it's a dumb one.
---
seumas.com
High tech? (Score:3)
If this guy really was a Mafioso and didn't realize this kind of thing was possible the Mafia really need to hire somebody who knows the fundamentals of information security. My hourly rates are reasonable, and I'll take payment in the Cayman Islands if it suits :)
Re:Get worked up! (Score:3)
Wrong way around, if you havn't done anything illegal then the state has no business snooping in the first place.
The idea that given the power the state will only herass criminals has been proven time and time again to be nonsense. Indeed criminals are typically way down the list...
You missed the lesson on protection (Score:3)
Real lesson: if you want your data protected, don't put it in a computer.
Putting a flash-based keystroke recorder into any detached keyboard would be a relatively simple matter; you get power and data directly from the cable and stash the data on the card. You could send the data to an external device using something like Bluetooth. If it was done to your keyboard, how would you detect it? Do you have seals on the case and examine them every day? I sure don't.
I think the lesson here is actually one of guarded optimism: breaking PGP is still beyond the FBI, so they have to use physical intrusion to get access to the keys. This burden makes it utterly impossible to perform fishing expeditions on encrypted e-mail or computers in general (Van Eck/Tempest monitoring notwithstanding). I feel a whole lot better about this than I do about things such as Carnivore.
"
/ \ ASCII ribbon against e-mail
\ / in HTML and M$ proprietary formats.
X
/ \
Journal Files in VAX/VMS Editor; Word Fast Save (Score:3)
If the machine went down or you got disconnected without saving, you could replay the journal file to recover your edits.
The cool thing was that this worked by literally replaying your keystrokes back into the editor, so you got to see your edit session happen over again at high speed.
So I quickly found I could make zippy little ASCII animations by laboriously editing out frame after frame of the pictures in an animation and then turning the terminal off when I was done. Turn the terminal on, log in, and replay the journal! Better than animated GIFs! Kids these days... Much to the chagrin of many people who thought they had kept something a secret, Microsoft Word does this too, with its "Fast Save" - it just saves deltas of each edit, rather than the whole file each time you save. It just does the replay in memory when it opens the file, but it is possible to see the changes, not just with a low-level editor but with Word itself. From The Forum on Risks to the Public in Computers and Related Systems: [ncl.ac.uk]
Michael D. Crawford
GoingWare Inc
Yes... (Score:3)
That, plus a Linux box that can only be booted from a floppy that you have on you at all times, plus some encrypted file systems that you unmount religiously when you're not using them would be a pretty tough nut to crack.
Re:Calm Down! (My Shopping List) (Score:3)
kitchen timer
matches
flashbulbs
batteries
kerosene
glass bottles(emptied milk or juice bottles will due)
tubing
several feet of wiring
anarchist's cookbook
(Begin Rant)Whether these things are for a science project or some nut with half a brain it is their right to WRITE IT in private without some other nut with the other half of the brain breaking the door down when a VegiOmniCarniWhateverBot starts blaring "Danger Will Robinson, Danger Will Robinson!"(End Rant)
The Public Key Keyboard (Score:3)
When I read stories such as this one, a saying common in the security industry immediately comes to mind:
If the "attacker" (in this case, the FBI) can obtain physical access to your system, just about any protection can be broken. Perhaps with a laptop that you keep on your person at all times, you might be able to feel secure, assuming you can trust the operating system, the laptop manufacturer, the CPU and auxillary chip production plants, and the original chip designers.
Stare too long into the abyss of paranoia, and the abyss starts to stare back...
Re:Calm Down! (Score:3)
How much longer before they follow the lead of the U.K. and have the ability to imprision me for refusing to provide my cryptographic key.
Where does the 4th amendment end and the 5th amendment begin?
Bug detector, court misinterpretation (Score:3)
On to my second, completely different point. There are three ways for the government to retrieve the information stored in the bug.
1. Leave it in the computer and retrieve it later with a search warrant. They did not seem to do this, although it may have been the best idea for them. One problem with this method would be if the bug detector was discovered in any way, they would have no data at all, rather than just a halt in the stream. Also, he may destroy the computer upon getting searched (a mor likely problem).
2. Broadcast it over the Internet. Not likely at all. If this guy was "computer literate" as the article says, he would be monitoring all ports into and out of his system, and would almost have to be using NT, Linux or a BSD (to support encrypted filesystems, unless he went with the whole route of no-swap (info is never stored on disk), which I'm not sure can be impleneted in windows 9x). So this would be a dumb methd, too. 3. Radio. They can send the information out over radio waves. This would allow for a stream of information that would still be evidence even if it were interrupted. The thing with this is that what kind of organized crime don does not use a bug detector?!? They are not expensive, and monitor almost all frequencies commonly used by bugs. The only way around this would be burts transmission, which the article does hint at.
To top it off, you can't think a computer is unbugged unless it never leaves your side (or the side of someone you trust; trust is as necessary in this kind of security as in encryption). Oh well, this post will never get read because it is now at the bottom of a heap of posts, and moderators never browse newest first. Blah.
Re:You are naive. (Score:3)
Have you ever knowingly allowed someone to do any of these things, and therefore been guilty as a co-conspiritor?
Now, assuming that you have done at least one of these things, should you have gone to jail? On the other hand, if you haven't done any of these things, and think you've never done anything illegal in your life (including knowingly allowing others to do illegal things), I'd like to hear from you.
Re:You are naive. (Score:3)
lessee...
# depmod -a
# modprobe \*
[dmesg] "unknown keyboard device found - driver not loaded. continuing."
aah - thanks linux! I knew you'd save my butt someday.
--
Re:Calm Down! (Score:3)
anybody, or protecting yourself from having some FBI bureaucrat reading over your shopping list?
I think that's kind of naive. Have you ever actually spoken to an innocent person who got f*cked over by people abusing their powers? A lot of the people doing this surveillence live in a twisted little paranoid world where they see guns in every shadow of innocent activity, and they sometimes act on these innocent things in ways that level headed people wouldn't. And if the law doesn't protect you from such violation of rights, (which it often doesn't) you can kiss your way of life goodbye.
Sure, there are more criminals having their rights abused than there are innocent parties, and we all know that criminals are, like terrorists, 2d cardboard cutouts whose sole motivation in life is to hurt us and so we should hurt them back, but every erosion of privacy is individually justifiable. The problem is that the next thing you know, you'll have bad cops raking in the $$$ selling your business secrets to your competitors, your unlisted phone number to tele-marketers, your spending details to advertising consultants, and if you try to raise a fuss, they'll deny everything, stop you dead in your tracks with National Security, and you'll be a laughing stock in your community forever for making such paranoid wacko claims.
It's an exotic threat next to having a car drive into you on your way home from work tommorow, and perhaps not as deserving of as much worry, but that doesn't mean we should just lie back and let it happen.
Abuse of power is real. Just because it hasn't happened to you doesn't mean it doesn't happen.
Re:(Not So) Easy Answer (Score:3)
I had that problem. And even bigger problem though was that all the cryptography programs and sites I found were aimed at advanced users who were already familiar with crypto. It was an inpenetrable wall.
Perhaps I was looking in the wrong places, but someone needs to make an ultra-dumbed down installer that could let your grandmother start using crypto. Then we'll be getting somewhere.
Dedicated encryption unit (Score:3)
Cutting edge? (Score:3)
Calm Down! (Score:3)
If the FBI couldn't do things like this, they'd have no power to enforce the laws of this country, we'd have total anarchy, and having someone monitor your keystrokes would be the least of your problems!
So ask yourself, which is more important to you, seeing mob bosses, terrorists, and child pornographers get caught before they can hurt anybody, or protecting yourself from having some FBI bureaucrat reading over your shopping list?
--
Keystroke taps get EVERY keystroke, even pre-^H (Score:4)
You could type "I accept suitcases full of cash in exchange for contraband" at a random and inappropriate time, and it would be logged, even though your sentiment was not reflected in any saved file or communication.
Creepy, when you think about it. How many times have I thought better of saying something in chat or email, for fear of it being interpreted the wrong way, and erased it before sending? More than a few times, anyways. If my employer or my gov't had tapped those messages at the keystroke level, I might as well have sent them the moment I typed them. Ugh.
-Isaac
This is GOOD news for crypto enthusiasts (Score:4)
Keep Your Laptop in a Safe, install tripwire (Score:4)
Research what laptop will run Linux real well.
Get some cash together and drive to a distant city and buy a laptop right off the store shelves. There won't be a chance for anyone to plant a bug in it.
Wipe the hard drive and install Linux on it. Install the Linux encrypting kernel [kerneli.org] and keep all your real files on an encrypted volume.
Install Tripwire [tripwire.org] on the machine - it verifies the integrity of important files to be sure they aren't patched.
Learn how to administrate your machine effectively. Always log in as a non-priveliged user and never become root unless you really need to.
Learn about security and tighten down your machine. If you care about security on your laptop you're not going to be running a webserver but I bet a lot of you are running both Apache and SAMBA on a standalone user machine without even knowing it. The more services that are disabled the less anyone can screw with it, even on a non-networked machine.
Don't ever let the machine leave your sight. If you have to put it away, lock it in a safe. Do something to the safe that will enable you to tell if someone's blackbagged you - something like the trick of wedging a matchstick in your door when you leave, but something more concealed. If you find the matchstick on the ground when you return, someone's opened your door.
Best of all don't use a computer for anything of real importance. You can find out why you shouldn't by reading The Forum on Risks to the Public in Computers and Related Systems [ncl.ac.uk] for a while.
Michael D. Crawford
GoingWare Inc
You are naive. (Score:4)
Perhaps you hold political opinions that are unpopular with the current administration. Maybe you have your local mayor upset at you for campaigning against him last election. Maybe you are a journalist who has published stories that upset the FBI. Perhaps your ex-girlfriend has taken a job in the local field office.
Get the wrong people mad at you, and you too may find out that government agents have added some tiny components to your computer...
When the sources for your news stories are found dead from a "self inflicted" park in Washington
When you lose every project you bid on to competitors who underbid you by exactly 3%
When the conservative christian boss of your same-sex lover "somehow" gets a copy of your last mash note.
When somebody says "If you aren't guilty of any crimes, you have nothing to fear", remember it's not question of whether you are guilty of crimes against the law, it's not a question of paranoia. The question is, have you committed a crime against somebody else's god, have you done anything that somebody else wishes was against the law, is there anybody who would benefit from hrting you?
If the answer is "yes" to any of the above, then you do have something to fear from this sort of "wiretap" activity.
So, whatsamatter with you? (Score:4)
The article missed one important point -- they were intercepting communications!. Even though it's from keyboard to computer, it's still communications over a wire (unless via a IR port). If it's software instead of a hardware unit, it is still intercepting the keyboard messages as it gets passed through the message queue (and windows). And if it was not authorized, it would be a federal crime of unathorized access to a computer.
Re:Calm Down! (Score:4)
Benjamin Franklin
"Those who would sacrifice liberty for safety deserve neither"
"Those who would sacrifice essential liberty for temporary safety deserve neither."
"Those that would sacrifice liberty to obtain a little temporary safety deserve neither liberty nor safety"
"Those who will sacrifice vigilance for liberty deserve neither."
"Those who would sacrifice essential liberties for a little temporary safety deserve neither liberty nor safety."
"Those who would sacrifice liberty for security deserve neither liberty nor security."
Thomas Jefferson
"Those who would sacrifice Freedom to gain Security, will not have, nor do they deserve, either."
"Those who are willing to sacrifice freedom for safety, deserve neither."
"A man that would sacrifice his freedom for security deserves neither."
"Those who would sacrifice a little freedom in exchange for security will have neither."
So who actually said it? Drum Roll please...
Charles Louis de Secundat, the Baron of Montesquieu, or Montesquieu for short. In 1774, the ideological father of the Constitution wrote:
So you are all obviously a bunch of cunts.Love,Slashfucker
(Not So) Easy Answer (Score:5)
Of course, it's more difficult when 99 percent of the people you communicate with do not -- either because of lack of initiative, understanding or capability, use encryption and wouldn't know or care what to do with the encrypted information you send them.
---
seumas.com
Get worked up! (Score:5)
I think you're serious, so here's my answer: It is more important to me to protect myself from having FBI agents (not bureaucrats, agents) reading my shopping list, my political manifestos, my notes on how to protect myself from script kiddies (proof positive that I'm a hacker, after all), and my (probably) fictional account of Dubya and Jim Baker exchanging bodily fluids (not intended for publication).
The FBI has proven that it is not above using its power for political purposes.
If the FBI were not free to violate the 4th amendment, we wouldn't have anarchy -- we'd simply have a tolerable FBI. Do you really believe they'd have (your words) no power if they had to respect the 4th amendment?
Could be much worse (Score:5)
This isn't really any different than what the FBI goes through to put a tap on the telephone line. When they're going after organized crime, this sort of thing is both necessary and proper -- as long as it is governed by due process of law and nobody's privacy is needlessly invaded.
Please Read "Why You Should Use Encryption" (Score:5)
Why You Should Use Encryption [goingware.com]
In the article, I try to discuss in as approachable and as convincing a way as I can why everyone, even your mom, even your kids should use cryptography.
Michael D. Crawford
GoingWare Inc
I wrote Last Resort - keystroke monitor (Score:5)
It ran in only 8 kb of memory and we specifically advertised that it would capture:
- Text that was backspaced over
- Text that was typed and then highlighted and deleted
- Text that was typed and never saved
- Text that was saved but lost due to file corruption or accidental file deletion
It would save everything, even your backspace characters. You could use those to help you reconstruct your file.Last Resort Programmer's edition will save menu key equivalents to aid testing and debugging and tech support. It helps you reconstruct the sequence of events before a crash.
And yes it would capture passwords but we had the option to pause it or disable it entirely.
I wrote the Mac version but it's available also for DOS and Windows (written by other guys).
Although we tried to make it very obvious when Last Resort was installed on a machine, we get occasional email from people asking how they can make it invisible. We don't tell them, but really if you want to make a hidden keystroke recorder it's pretty trivial.
Don't just worry about the FBI doing this to you - worry about your employer or loved ones. Not long after I shipped Last Resort, one of the editors of MacUser Magazine thanked me personally for it because he'd caught his girlfriend having an online affair - her hot and heavy emails were in his keystroke file.
He later wrote a novel that talked about a lot of software products with fictional names but that were obviously taken from real products. I'm proud to say that the faux-Last Resort saved the world in his novel.
Also I get occassional spam from companies selling keystroke recorders that aren't just invisible, but they encrypt the keystroke files and upload them to a location of your choice. They say this is meant for employee monitoring...
Such monitoring, by the way, has been held to be legal by the courts.
Michael D. Crawford
GoingWare Inc
Re:Get worked up! (Score:5)
Someone doesn't know his history very well. Every time this country has been in conflict with another country in the past 100 years or so, people with anti-government sentiments, or even people with backgrounds that might lead to anti-government sentiment have been rounded up and put into prison, internment camps, etc.
Witness the most recent example, internment camps for the Japanese and Italians during world war 2. This was the cause of a direct exectuive order! Or how about all the people arrested during WWI and the period right after for being communist. There was even a law passed by Congress saying they could! Look up the Alien and Sedition Acts.
So next time you just blindly assume that because we are in America, we actually have rights and crap, think a little harder.
PGP = probable cause? (Score:5)
FBI attorney: The suspect uses something called PGP, which prevents us from viewing his email and, combined with other evidence we have gathered while surveiling him, constitutes probable cause that he is using his computer for legal activity.
Judge: Okay, go get 'im.
Software does not equal intent. Not with PGP, not with Napster, etc.