FBI Bugs Keyboard of PGP-Using Alleged Mafioso

Sacrifice writes "The Philadelphia Inquirer reports on a criminal case which will challenge the authority of courts to permit FBI agents to surreptitiously plant keystroke-monitoring bugs, which are not regulated by current federal wiretap legislation. Also, David Sobel from EPIC notes that it is now a matter of record that the FBI can, and does, conduct surreptitious entries to counter the use of encryption (see FBI application for breakin and the court order granting permission)."

Re:Calm Down! -- Carnivore & Other FBI Stories

I don't think you are aware of the FBI's history with repect to monitoring its citizens. An example of recent events was shown on Monday night's 60 Minutes. [cbsnews.com] Two citizen's are in jail right now because of 24 hour FBI monitoring allowed by the law (when the law is misapplied). The FBI went to great lengths to misapply the law.

"notable for its lack of evidence" [washington...center.org]

"a secret court made up of anonymous judges" [mediafilter.org]

"secret permission can be obtained to break in and tape conversations without Fourth Amendment guarantees" [shepherd-express.com]

In this example, the FBI had a court order -- a secret court order -- giving them every right to tap these guys' lives.

Your slippery slope argument of total anarchy resulting from the FBI not being allowed to invade the privacy of U.S. citiznes is ridiculous.

I am a lot more concerned about the FBI reading my personal files and deciding I'm a criminal and the consequences of that than any "mafioso", child pornographer, or terrorist. Unlike the latter group of "criminal" elements, the FBI is actually in a position of power such that it can destroy my life if the FBI so chooses.

Yes there is a law about your prive conversation

Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Amendment IX
The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.

Amendment X

The powers not delegated to the United States by the Constitution, nor prohibited by it to the states, are reserved to the states respectively, or to the people.

I can secure my papers against unreasonable searches and seizures. Email is just modern paper. If I send it to my brother I can secure it.

Not all rights are mentioned in the bill of rights, as the document specificly allows, which are despite not the lack of mention still retained by the people. Thus the right to private converstation, or for that matter privacy itself is still a right even if not mentioned.

The US goverment is not given right to take away those rights.

Hey...

If the FBI can get a warrant to bug a specific person's keyboard, I've got no problem. It's no different from any other kind of search.

What bothers me is that the FBI doesn't seem to want to have to bother with warrants. They want to be able to just tap at will (as evidenced by previous attempts at laws to get the ability to search without a warrant), and that's just plain wrong. They've forgotten that there are more important aspects to the law than enforcing it; the law is there to protect the people from others... including law enforcement.
----------

There Has To Be A Way

There has to be a way to implement some manner of encryption between the keyboard and the OS, in which the keyboard mapping is jumbled and re-constructed via a random mapping once it reaches the OS. I'm no hardware expert but I would think some sort of device could act as an interface which the keyboard plugs into. Add some software to the PC and there you go.

Just a thought. Maybe it's a dumb one.
---
seumas.com

High tech?

Anybody who knows *anything* about computer security (including reading the PGP documentation) should know this is possible.

If this guy really was a Mafioso and didn't realize this kind of thing was possible the Mafia really need to hire somebody who knows the fundamentals of information security. My hourly rates are reasonable, and I'll take payment in the Cayman Islands if it suits :)

Re:Get worked up!

If you haven't done anything illegal, you have nothing to hide.

Wrong way around, if you havn't done anything illegal then the state has no business snooping in the first place.
The idea that given the power the state will only herass criminals has been proven time and time again to be nonsense. Indeed criminals are typically way down the list...

You missed the lesson on protection

Meanwhile, protecting yourself from the keyboard monitor is trivial. Never type anything critical on a computer electrically connected to anything else. Need to communicate? Use sneakernet to carry a disk with the encrypted message to a computer that is connected.

I don't think you read the articles. The FBI put a keystroke monitor (which can potentially record 32M keystrokes) onto the subject's computer. The data were being tapped directly at his keyboard; avoiding any transmission outside the computer would have done nothing to prevent its interception.

Real lesson: if you want your data protected, don't put it in a computer.

Putting a flash-based keystroke recorder into any detached keyboard would be a relatively simple matter; you get power and data directly from the cable and stash the data on the card. You could send the data to an external device using something like Bluetooth. If it was done to your keyboard, how would you detect it? Do you have seals on the case and examine them every day? I sure don't.

I think the lesson here is actually one of guarded optimism: breaking PGP is still beyond the FBI, so they have to use physical intrusion to get access to the keys. This burden makes it utterly impossible to perform fishing expeditions on encrypted e-mail or computers in general (Van Eck/Tempest monitoring notwithstanding). I feel a whole lot better about this than I do about things such as Carnivore.
"
/ \ ASCII ribbon against e-mail
\ / in HTML and M$ proprietary formats.
X
/ \

Journal Files in VAX/VMS Editor; Word Fast Save

The VAX/VMS screen editor (what was it called?) would save a journal file that was a literal transcription of all your keystrokes, and a copy of the original file.

If the machine went down or you got disconnected without saving, you could replay the journal file to recover your edits.

The cool thing was that this worked by literally replaying your keystrokes back into the editor, so you got to see your edit session happen over again at high speed.

So I quickly found I could make zippy little ASCII animations by laboriously editing out frame after frame of the pictures in an animation and then turning the terminal off when I was done. Turn the terminal on, log in, and replay the journal! Better than animated GIFs! Kids these days... Much to the chagrin of many people who thought they had kept something a secret, Microsoft Word does this too, with its "Fast Save" - it just saves deltas of each edit, rather than the whole file each time you save. It just does the replay in memory when it opens the file, but it is possible to see the changes, not just with a low-level editor but with Word itself. From The Forum on Risks to the Public in Computers and Related Systems: [ncl.ac.uk]

The scary MSWord residue feature [ncl.ac.uk]

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written. We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience.

It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

Michael D. Crawford
GoingWare Inc

Yes...

They're already working on this technology... to allow the signal between your computer and your monitor and speakers to be encrypted. This is being done to protect media from pirating by you. It should be easy enough to adapt the same technology to work between your keyboard and your computer.

That, plus a Linux box that can only be booted from a floppy that you have on you at all times, plus some encrypted file systems that you unmount religiously when you're not using them would be a pretty tough nut to crack.

Re:Calm Down! (My Shopping List)

eggs

kitchen timer

matches

flashbulbs

batteries

kerosene

glass bottles(emptied milk or juice bottles will due)

tubing

several feet of wiring

anarchist's cookbook

(Begin Rant)Whether these things are for a science project or some nut with half a brain it is their right to WRITE IT in private without some other nut with the other half of the brain breaking the door down when a VegiOmniCarniWhateverBot starts blaring "Danger Will Robinson, Danger Will Robinson!"(End Rant)

The Public Key Keyboard

I'm not sure if it's a solution, but it certainly is possible to implement a cryptographic keyboard.

When I read stories such as this one, a saying common in the security industry immediately comes to mind:

Physical access trumps all.

If the "attacker" (in this case, the FBI) can obtain physical access to your system, just about any protection can be broken. Perhaps with a laptop that you keep on your person at all times, you might be able to feel secure, assuming you can trust the operating system, the laptop manufacturer, the CPU and auxillary chip production plants, and the original chip designers.

Stare too long into the abyss of paranoia, and the abyss starts to stare back...

Re:Calm Down!

If you use computer software with predominantly benign uses (i.e. PGP) to hide evidence of criminal activity, you run the risk of losing that sheild to whatever means the law enforcement community can leverage without crossing the line of legality.

Realize that law enforcement has always had rights to mitigate a citizen's privacy AS LONG AS DUE PROCESS HAS BEEN FOLLOWED. This is an inherent requirement to do their job, and, knowing the restrictions placed on them, I think that almost all of the time that ethic is upheld. (There will always be screw-ups, but those responsible are held to their actions.)

One interesting question is, how far can they go to "mitigate a citizen's privacy"? This case shows that they can go so far as to "bug" my keyboard to obtain my PGP passphrase.

How much longer before they follow the lead of the U.K. and have the ability to imprision me for refusing to provide my cryptographic key.

Where does the 4th amendment end and the 5th amendment begin?

Bug detector, court misinterpretation

First of all; some people on slashdot are saying that bugging the keyboard buffer constitutes a wiretap. After looking into it, I find that I agree. The only possible way of getting the information to the bug device is by tapping electronic wires, even though they are between the keyboard port and the motherboard rather than between houses. However, the court order spcifically allowed for using hardware and/or software means to surveil the computer. I think the only way to figh this would be to fight the court order, because a simple search warrant should not legally cover such surveillance. Let me restate that I think the FBI did act within the bounds of the law, just that I think the law as defined by the courts, but also that the law was misinterpretted by the courts.

On to my second, completely different point. There are three ways for the government to retrieve the information stored in the bug.

1. Leave it in the computer and retrieve it later with a search warrant. They did not seem to do this, although it may have been the best idea for them. One problem with this method would be if the bug detector was discovered in any way, they would have no data at all, rather than just a halt in the stream. Also, he may destroy the computer upon getting searched (a mor likely problem).

2. Broadcast it over the Internet. Not likely at all. If this guy was "computer literate" as the article says, he would be monitoring all ports into and out of his system, and would almost have to be using NT, Linux or a BSD (to support encrypted filesystems, unless he went with the whole route of no-swap (info is never stored on disk), which I'm not sure can be impleneted in windows 9x). So this would be a dumb methd, too. 3. Radio. They can send the information out over radio waves. This would allow for a stream of information that would still be evidence even if it were interrupted. The thing with this is that what kind of organized crime don does not use a bug detector?!? They are not expensive, and monitor almost all frequencies commonly used by bugs. The only way around this would be burts transmission, which the article does hint at.

To top it off, you can't think a computer is unbugged unless it never leaves your side (or the side of someone you trust; trust is as necessary in this kind of security as in encryption). Oh well, this post will never get read because it is now at the bottom of a heap of posts, and moderators never browse newest first. Blah.

Re:You are naive.

Besides, I bet there's not one person reading this who hasn't done anything illegal. Let's forget for a moment traffic offenses and focuse on criminal ones. Did you ever smoke before you were 18? Drink before you were 21? Use an illegal drug? Sneak into a movie theatre without paying? Eat a grape in the supermarket? Commit a drive-by shooting? Did you pay for Netscape after the trial period? How about Winzip? How about winamp, before AOL made it free? Do you own any mp3s that you haven't gotten permission from the copyright owner for? Ever make a copy of a videotape without permission from the copyright owner? Did you ever use RSA for commercial purposes (such as at work) before the patent expired without paying? Did you put in your real information when you obtained a licence to use Real Player? Ever participate in a super bowl pool? Ever install a copy of software you weren't legally licensed to install (including shareware after the trial period had expired)? Have you ever mutilated a U.S. coin? Do you report all items that you've bought over the internet or in another state but not paid sales tax on your state income tax? Have you ever fudged a number on any of your income taxes?

Have you ever knowingly allowed someone to do any of these things, and therefore been guilty as a co-conspiritor?

Now, assuming that you have done at least one of these things, should you have gone to jail? On the other hand, if you haven't done any of these things, and think you've never done anything illegal in your life (including knowingly allowing others to do illegal things), I'd like to hear from you.

Re:You are naive.

Get the wrong people mad at you, and you too may find out that government agents have added some tiny components to your computer...

lessee...

# depmod -a

# modprobe \*

[dmesg] "unknown keyboard device found - driver not loaded. continuing."

aah - thanks linux! I knew you'd save my butt someday.

--

Re:Calm Down!

So ask yourself, which is more important to you, seeing mob bosses, terrorists, and child pornographers get caught before they can hurt
anybody, or protecting yourself from having some FBI bureaucrat reading over your shopping list?

I think that's kind of naive. Have you ever actually spoken to an innocent person who got f*cked over by people abusing their powers? A lot of the people doing this surveillence live in a twisted little paranoid world where they see guns in every shadow of innocent activity, and they sometimes act on these innocent things in ways that level headed people wouldn't. And if the law doesn't protect you from such violation of rights, (which it often doesn't) you can kiss your way of life goodbye.

Sure, there are more criminals having their rights abused than there are innocent parties, and we all know that criminals are, like terrorists, 2d cardboard cutouts whose sole motivation in life is to hurt us and so we should hurt them back, but every erosion of privacy is individually justifiable. The problem is that the next thing you know, you'll have bad cops raking in the $$$ selling your business secrets to your competitors, your unlisted phone number to tele-marketers, your spending details to advertising consultants, and if you try to raise a fuss, they'll deny everything, stop you dead in your tracks with National Security, and you'll be a laughing stock in your community forever for making such paranoid wacko claims.

It's an exotic threat next to having a car drive into you on your way home from work tommorow, and perhaps not as deserving of as much worry, but that doesn't mean we should just lie back and let it happen.

Abuse of power is real. Just because it hasn't happened to you doesn't mean it doesn't happen.

Re:(Not So) Easy Answer

Of course, it's more difficult when 99 percent of the people you communicate with do not

I had that problem. And even bigger problem though was that all the cryptography programs and sites I found were aimed at advanced users who were already familiar with crypto. It was an inpenetrable wall.

Perhaps I was looking in the wrong places, but someone needs to make an ultra-dumbed down installer that could let your grandmother start using crypto. Then we'll be getting somewhere.

Dedicated encryption unit

Why not have a PDA-sized unit with PGP installed as firmware. You could keep your key on a flash-memory card in your wallet. The unit would never need to leave your person. Enter the plaintext, the unit encrypts it, upload the encrypted message your computer.

Cutting edge?

Since when is a microcontroller and a battery cutting edge? I want to know what about this keystroke recorder is so freakin' high tech that they can't even talk about it.

Calm Down!

Now, I know that a lot of people around here are going to go off and start screaming about having your rights violated, but the fact of the matter is that the FBI had a court order here! They had every right to tap this guy's computer.

If the FBI couldn't do things like this, they'd have no power to enforce the laws of this country, we'd have total anarchy, and having someone monitor your keystrokes would be the least of your problems!

So ask yourself, which is more important to you, seeing mob bosses, terrorists, and child pornographers get caught before they can hurt anybody, or protecting yourself from having some FBI bureaucrat reading over your shopping list?

--

Keystroke taps get EVERY keystroke, even pre-^H

Remember kids, your keystroke logger records EVERY keystroke. Typed out a phrase that might be a little too strong, but then thought better and erased it? Logged. No opportunity for revision, as soon as you press the key the FIRST time, the event is recorded, even if it was never saved to a file/sent in email/sent in chat.

You could type "I accept suitcases full of cash in exchange for contraband" at a random and inappropriate time, and it would be logged, even though your sentiment was not reflected in any saved file or communication.

Creepy, when you think about it. How many times have I thought better of saying something in chat or email, for fear of it being interpreted the wrong way, and erased it before sending? More than a few times, anyways. If my employer or my gov't had tapped those messages at the keystroke level, I might as well have sent them the moment I typed them. Ugh.

-Isaac

This is GOOD news for crypto enthusiasts

It seems to me that this tale shoots down the government's primary argument for trying to restrict the public's use of cryptography. Their battle cry has been "we must be given the crypto keys, otherwise we won't be able to conduct the sort of wiretaps we've gotten used to". But as this story demonstrates, they can still conduct wiretaps the same way they always have - by physically going out and tapping some wires. Bravo, FBI boys!

Keep Your Laptop in a Safe, install tripwire

Well here's some security tips for you.

Research what laptop will run Linux real well.

Get some cash together and drive to a distant city and buy a laptop right off the store shelves. There won't be a chance for anyone to plant a bug in it.

Wipe the hard drive and install Linux on it. Install the Linux encrypting kernel [kerneli.org] and keep all your real files on an encrypted volume.

Install Tripwire [tripwire.org] on the machine - it verifies the integrity of important files to be sure they aren't patched.

Learn how to administrate your machine effectively. Always log in as a non-priveliged user and never become root unless you really need to.

Learn about security and tighten down your machine. If you care about security on your laptop you're not going to be running a webserver but I bet a lot of you are running both Apache and SAMBA on a standalone user machine without even knowing it. The more services that are disabled the less anyone can screw with it, even on a non-networked machine.

Don't ever let the machine leave your sight. If you have to put it away, lock it in a safe. Do something to the safe that will enable you to tell if someone's blackbagged you - something like the trick of wedging a matchstick in your door when you leave, but something more concealed. If you find the matchstick on the ground when you return, someone's opened your door.

Best of all don't use a computer for anything of real importance. You can find out why you shouldn't by reading The Forum on Risks to the Public in Computers and Related Systems [ncl.ac.uk] for a while.

Michael D. Crawford
GoingWare Inc

You are naive.

It's not just a question of whether you have done anything illegal.

Perhaps you hold political opinions that are unpopular with the current administration. Maybe you have your local mayor upset at you for campaigning against him last election. Maybe you are a journalist who has published stories that upset the FBI. Perhaps your ex-girlfriend has taken a job in the local field office.

Get the wrong people mad at you, and you too may find out that government agents have added some tiny components to your computer...

When the sources for your news stories are found dead from a "self inflicted" park in Washington

When you lose every project you bid on to competitors who underbid you by exactly 3%

When the conservative christian boss of your same-sex lover "somehow" gets a copy of your last mash note.

When somebody says "If you aren't guilty of any crimes, you have nothing to fear", remember it's not question of whether you are guilty of crimes against the law, it's not a question of paranoia. The question is, have you committed a crime against somebody else's god, have you done anything that somebody else wishes was against the law, is there anybody who would benefit from hrting you?

If the answer is "yes" to any of the above, then you do have something to fear from this sort of "wiretap" activity.

So, whatsamatter with you?

As one person mentioned, a court order was done to permit this.

The article missed one important point -- they were intercepting communications!. Even though it's from keyboard to computer, it's still communications over a wire (unless via a IR port). If it's software instead of a hardware unit, it is still intercepting the keyboard messages as it gets passed through the message queue (and windows). And if it was not authorized, it would be a federal crime of unathorized access to a computer.

Re:Calm Down!

i hope you're not serious, because you mangled the FUCK out of that quote. There is a great deal of confusion about who said that quotation, and how. The main consensus is that it was either Ben Franklin or Thomas Jefferson. Here are a few examples from around the net of how people attribute that quote:

Benjamin Franklin
"Those who would sacrifice liberty for safety deserve neither"
"Those who would sacrifice essential liberty for temporary safety deserve neither."
"Those that would sacrifice liberty to obtain a little temporary safety deserve neither liberty nor safety"
"Those who will sacrifice vigilance for liberty deserve neither."
"Those who would sacrifice essential liberties for a little temporary safety deserve neither liberty nor safety."
"Those who would sacrifice liberty for security deserve neither liberty nor security."

Thomas Jefferson
"Those who would sacrifice Freedom to gain Security, will not have, nor do they deserve, either."
"Those who are willing to sacrifice freedom for safety, deserve neither."
"A man that would sacrifice his freedom for security deserves neither."
"Those who would sacrifice a little freedom in exchange for security will have neither."

So who actually said it? Drum Roll please...

Charles Louis de Secundat, the Baron of Montesquieu, or Montesquieu for short. In 1774, the ideological father of the Constitution wrote:

"A man that would sacrifice his freedom for security deserves neither.
The God who gave us life gave us liberty at the same time." -Montesquieu, The Rights of British America

So you are all obviously a bunch of cunts.

Love,Slashfucker

(Not So) Easy Answer

Everyone should be using encryption for as much as they possibly can. When it is realized that 99.999 percent of decrypted information is fluff and noise, it'll be too much of an effort to process every bit of encrypted data. Otherwise, encrypting selectively is just like holding up a giant flag saying "read this!".

Of course, it's more difficult when 99 percent of the people you communicate with do not -- either because of lack of initiative, understanding or capability, use encryption and wouldn't know or care what to do with the encrypted information you send them.
---
seumas.com

Get worked up!

So ask yourself, which is more important to you, seeing mob bosses, terrorists, and child pornographers get caught before they can hurt anybody, or protecting yourself from having some FBI bureaucrat reading over your shopping list?

I think you're serious, so here's my answer: It is more important to me to protect myself from having FBI agents (not bureaucrats, agents) reading my shopping list, my political manifestos, my notes on how to protect myself from script kiddies (proof positive that I'm a hacker, after all), and my (probably) fictional account of Dubya and Jim Baker exchanging bodily fluids (not intended for publication).

The FBI has proven that it is not above using its power for political purposes.

If the FBI were not free to violate the 4th amendment, we wouldn't have anarchy -- we'd simply have a tolerable FBI. Do you really believe they'd have (your words) no power if they had to respect the 4th amendment?

Could be much worse

I'm far more comfortable with this sort of approach, where a single individual is monitored after law enforcement officials go through appropriate due process, than I could ever be with something like Carnivore which, with a slip of the configuration file, can indiscriminately intercept communications from anyone on the network.

This isn't really any different than what the FBI goes through to put a tap on the telephone line. When they're going after organized crime, this sort of thing is both necessary and proper -- as long as it is governed by due process of law and nobody's privacy is needlessly invaded.

Please Read "Why You Should Use Encryption"

While I guess this goes to show that it's not unbreakable (do you keep your laptop in a safe at night?) I think in general it gives good motivation for why you should read my page:

Why You Should Use Encryption [goingware.com]

In the article, I try to discuss in as approachable and as convincing a way as I can why everyone, even your mom, even your kids should use cryptography.

Michael D. Crawford
GoingWare Inc