Scarfo "keylogger", PGP

Peter Fairbrother peter.fairbrother at ntlworld.com
Mon Oct 15 19:44:34 EDT 2001 

The order is available on the epic site (copy sent privately). I don't think
the cleanliness of the collected data is relevant as all they wanted was the
PGP key, which either works or doesn't, they got the encrypted files when
they examined the computer beforehand and/or seized it afterwards.

I do think they have probably gone too far and captured email, at least when
it was being composed, even if they didn't intercept it in transmission. The
order relates to business records but not email, whose seizure the order
does not permit (a different type of order is needed for email). Pretty
silly imho as they didn't need to install the "keystroke capture component"
at all.

-- Peter Fairbrother

> Rick Smith at Secure Computing wrote:

> Stripping off the precise legal language, this looks like a software
> keystroke logger that was carefully crafted to collect a PGP passphrase
> while collecting as little other data as possible. Collecting evidence is
> tricky business. You have to collect exactly the information you need, but
> you mustn't collect any information you aren't authorized to collect. If
> you do, then you can't use the information you have. Moreover, you need to
> be able to show that the evidence is 'clean' and hasn't been tampered with.
> This makes it very tricky when you're trying to collect computer
> information that's intended to be used as evidence in legal proceedings.
> 
> Without actually seeing the warrant used to authorize the keystroke
> capture, it's hard to tell what was really going on. But it seems
> reasonable to speculate that the keystroke monitor was carefully configured
> to comply with the letter of the warrant issued to the FBI to implant the
> keystroke logger. If they collect too much data under the warrant, the
> defense attorney might be able to block the use of the logs as evidence by
> arguing that the FBI didn't comply with the warrant.
> 
> I suspect that the "components" of the logger are software modules that are
> included and/or configured according to the types of data that the FBI has
> a warrant to collect.
> 
> Regarding all this, Peter Fairbrother wrote:
> 
>> The other and more worrying "component" picked up the PGP key Scarfo used -
>> his father's prison number!
> 
> I found Scarfo's choice of password rather amusing, since it shows that a
> personally tailored dictionary attack would have worked as well as the
> keystroke logging, and probably wouldn't have taken as long (14 days).
> 
>> I don't
>> know if Scarfo entered his PGP key more than once but apparently it only
>> recorded it once. The PGP key information was at the end of the output
>> presented to the Court so it may have stopped operation then, but the
>> "keystroke capture component" should have continued to work if the overall
>> design was good.
> 
> If my speculations about the warrant are correct, the logger may have shut
> itself down just to reduce the risk of intercepting anything that might
> have violated the letter of the warrant.
> 
>> Could it be remotely installed?
> 
> If someone manages to install Back Orifice (or its latest incarnation) on
> the victim's computer, then it's possible to remotely command Back Orifice
> to install keystroke logging software. However, the remote approach isn't
> 100% guaranteed to work, and Scarfo might have detected the installation
> activity or the presence of Back Orifice.
> 
>> Is this a serious security failure in PGP?
> 
> No, it's a problem with any programmable computer. If you can install new
> programs, you can install changes to existing programs. Since the FBI snuck
> into Scarfo's house and had physical access to his computer, they could
> install or patch the Windows OS, or PGP, or anything else on the computer
> however they wanted. The only limitation on their actions was that they
> didn't want to change anything Scarfo might detect.
> 
> 
> Rick.
> smith at securecomputing.com            roseville, minnesota
> "Authentication" in bookstores http://www.visi.com/crypto/
> 




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list