Scarfo "keylogger", PGP

Peter Fairbrother peter.fairbrother at ntlworld.com
Mon Oct 15 14:16:03 EDT 2001 

For those who haven't seen it, there is an affidavit from the FBI at

<http://www.epic.org/crypto/scarfo/murch_aff.pdf>  (ref from schneier)

about the "keylogger" system the FBI used. I put "keylogger" in quotes
because it's unclear if the "key" that's being logged is a keystroke or an
encryption key - probably both.

This is a very tricksy document, I have studied it hard and I'm still not
sure what it says, however:

(background: the FBI couldn't intercept his email with the warrant they had,
so they couldn't use an ordinary keylogger)

There were at least two "components" to the "keylogger" the FBI planted on
Scarfo's computer. One was a "keystroke capture component" that couldn't
record keystrokes when the modem was operating (there are hints that another
"component", perhaps the one below, could record keystrokes entered into a
window that was not using the modem when the modem was in use by another
window). This doesn't seem to have recorded much, anything useful, or
anything that looks like language, and it was probably meant to capture key
material used by crypto programs other than PGP, which was the main target.

Could be hardware but it "checked the status of each communication port" at
every keystroke before recording it so I doubt it. Then again a software
port scan at every keystroke might noticeably degrade performance. One
puzzle is that if the ports reported inactivity then all keystrokes were
recorded. I don't know about Scarfo, but I usually write email when
disconnected to keep the phone bills down, there weren't any emails in the
log presented to the Court, and the "keylogger" was in place for at least 14
days.



The other and more worrying "component" picked up the PGP key Scarfo used -
his father's prison number! - and virtually nothing else. It didn't capture
keystrokes. Almost certainly it detected and captured only the PGP logon
when the enter key was pressed, and it is almost certainly software. I don't
know if Scarfo entered his PGP key more than once but apparently it only
recorded it once. The PGP key information was at the end of the output
presented to the Court so it may have stopped operation then, but the
"keystroke capture component" should have continued to work if the overall
design was good.

Could it be remotely installed? Is this a serious security failure in PGP?
The recent announcement by NA that they are looking for a buyer for PGP, at
a time when it's value would be low anyway following the WTC attacks, may be
relevant...


-- Peter Fairbrother




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list