Scarfo "keylogger", PGP
Arnold G. Reinhold
reinhold at world.std.com
Tue Oct 16 09:14:42 EDT 2001
At 12:09 AM +0000 10/16/2001, David Wagner wrote:
>It seems the FBI hopes the law will make a distinction between software
>that talks directly to the modem and software that doesn't. They note
>that PGP falls into the latter category, and thus -- they argue -- they
>should be permitted to snoop on PGP without needing a wiretap warrant.
>
>However, if you're using PGP to encrypt email before sending, this
>reasoning sounds a little hard to swallow. It's hard to see how such a
>use of PGP could be differentiated from use of a mail client; neither
>of them talk directly to the modem, but both are indirectly a part of
>the communications path. Maybe there's something I'm missing.
Reading between the lines, I think the FBI is taking the position
that e-mail stored on your computer, either before or after you send
it, is a business record and not an electronic communication. Thus
they would also claim the right to key-log a mail client when it was
off line under the authority of just a search warrant, without a wire
tap order. In effect, they seem to be claiming that only instant
messaging is protected under anti-wiretapping laws.
>
>If you're using PGP to encrypt stored data only, though, then I can
>see how one might be able to make a case that use of PGP should be
>distinguished from use of a mail client.
>
>Does anyone know what PGP was used for in this case? Was it used only
>for encrypting stored data, or was it also used from time to time for
>encrypting communications?
>
Press reports said PGP was used to encrypt gambling records. The
defense challenged the keylogging on the grounds that it must have
intercepted electronic communications as well, and therefore went
beyond the authority of the FBI'ssearch warrant.
It also seems that the FBI used two separate tools on Scarfo's computer:
1. an only-when-the-modem's-off key logger
2. a tool to capture the passphrase when it was entered into the PGP
dialog box.
One way to create the latter tool is to simply use the PGP source
code to make a doctored version of PGP that saves the passphrase in a
hidden file or even e-mails it and the secret key to a special
address. This possibility suggests that it is a mistake to include
the full PGP version number in plaintext, as is done in the present
PGP message format. Doing so allows any attacker to prepare a
doctored program that matches the target's version in advance,
reducing the number of surreptitious entries needed. This may not
matter much to the FBI (which apparently made five entries is this
case) but could be significant to an attacker with fewer resources,
e.g. a terrorist cell.
Transmitting the software version enclar may also help in creating a
capture tool that knows where keying information is stored in memory.
If there is a need to alert the receiving program as to the format of
the encrypted message, a message format code should be used, not the
software version number.
Arnold Reinhold
(who is not a lawyer)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list