Re: IBM Uses Keystroke-monitoring in NJ Mob Case (was Re: BNA'sInternet Law News (ILN) - 12/5/00)
Mr. May: Frankly, the PGP community veered off the track toward crapola about standards, escrow, etc., instead of concentrating on the core issues. PGP as text is a solved problem. The rest of the story is to ensure that pass phrases and keys are not black-bagged. Forget fancy GUIs, forget standards...concentrate on the real threat model. What is the real threat model? Everybody has different worries. I'm not a bookie, I don't do work for the mob, I don't spend more than I earn. My biggest threat is (1) financial (stolen credit card numbers, or other form of credential fraud) (2) Political--that comments here and other places get me the list of "People To Take Care Of Later". The first threat can be dealt with by "cheap" crypto deployed everywhere--to co-opt one of RAH's phrases--a "Geodesicly encrypted network. In a network where every single stinking bit on the wire is encrypted at as many layers as possible, even with "10 cent" crypto will virtually eliminate (by making it more expensive) many of the low level financial threats. Yes, big banks and large financial institutions need stronger crypto, but they can multiple-encrypt, write their own protocols etc.). The second threat would be made much harder by the encrypt everything all the time type of network, if I weren't so thick headed as to insist on using my Real Name. This is presumably what the "PGP Community" veered off towards. Unfortunately, they've done a half-assed job so far. -- A quote from Petro's Archives: ** "Despite almost every experience I've ever had with federal authority, I keep imagining its competence." John Perry Barlow
Re: IBM Uses Keystroke-monitoring in NJ Mob Case (was Re: BNA'sInternet Law News (ILN) - 12/5/00)
At 2:37 PM -0500 on 12/5/00, Steven M. Bellovin wrote: Very interesting, but what does IBM have to do with the case? Did you mean to type "FBI"? Absolutely. God knows why I did it... Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: IBM Uses Keystroke-monitoring in NJ Mob Case (was Re: BNA'sInternet Law News (ILN) - 12/5/00)
(dcsb and cryptography and other closed lists removed, for obvious reasons) At 4:52 PM -0500 12/5/00, R. A. Hettinga wrote: Date: Tue, 05 Dec 2000 08:47:20 -0800 From: Somebody To: "R. A. Hettinga" [EMAIL PROTECTED] Subject: Re: IBM Uses Keystroke-monitoring in NJ Mob Case (was Re: BNA'sInternet Law News (ILN) - 12/5/00) An instructive case. Apparently they used the keystroke monitoring to obtain the pgp passphrase, which was then used to decrypt the files. The legal fight over whether the monitor was legal and whether the information so obtained are in fact records of criminal activity is a side-show. It remains practical evidence of how insecure computer equipment / OS's and pass-phrase based identity authentication combine to reduce the effective security of a system. I fully support this comment that the whole issue of "legality" is a "side show." We've known that keyboard sniffers were a major issue for many years. I remember describing the sniffers ("keystroke recorders") which were widely available for Macs in the early 90s. Others cited such recorders for Windows and Unices. We discussed at early CP meetings the issue, with various proposed solutions. (For example, pass phrases stored in rings, pendants, Newtons, Pilots. For example, zero knowledge approaches. For example, reliance on laptops always in physical possession.) Frankly, the PGP community veered off the track toward crapola about standards, escrow, etc., instead of concentrating on the core issues. PGP as text is a solved problem. The rest of the story is to ensure that pass phrases and keys are not black-bagged. Forget fancy GUIs, forget standards...concentrate on the real threat model. --Tim May -- (This .sig file has not been significantly changed since 1992. As the election debacle unfolds, it is time to prepare a new one. Stay tuned.)
Re: IBM Uses Keystroke-monitoring in NJ Mob Case (was Re: BNA'sInternet Law News (ILN) - 12/5/00)
On Tue, Dec 05, 2000 at 05:16:03PM -0800, Tim May wrote: The legal fight over whether the monitor was legal and whether the information so obtained are in fact records of criminal activity is a side-show. It remains practical evidence of how insecure computer equipment / OS's and pass-phrase based identity authentication combine to reduce the effective security of a system. I fully support this comment that the whole issue of "legality" is a "side show." Exactly - not every attacker represents law enforcement, and not every law enforcement attack is performed with the intention of creating admissible evidence. The US' exclusionary rule is the exception, not the rule, worldwide - most courts take more or less whatever evidence they can get. And thugs and goons and spies of many flavors don't give a shit about even pretending to cover their tracks when they're not following the rules. -- Greg Broiles [EMAIL PROTECTED] PO Box 897 Oakland CA 94604