All through this case, the FBI has been very cagey on whether the key logger was implemented in hardware or software (or firmware).
Until recently I had thought the hardware approach more likely. It's easy to install a bug in the keyboard cable, and such devices already exist on the market. But one passage in this affidavit caught my attention: Recovery of Output 13. In order to recover the output of the KLS, it was necessary to gain physical access to the computer. A total of five surreptitious entries into Scarfo's place of business were made. On four of those occasions, the computer in question was found to be inoperative or not present. On only one of those conditions was the computer in question found to be present and in working order A hardware device would have been easy to install even if the computer wasn't "operative" (as long as it was actually there). This strongly suggests that the logger consisted either of software modules hacked into Windows, or possibly a hack to the BIOS firmware. If it was done as a Windows software hack, that raises the question of why so many keystrokes were captured -- especially if the search warrant was only for his PGP passphrase. They probably already had a copy of his encrypted secret key ring from an earlier search. So a good programmer could have written the intercept routine to test the keystrokes in real time, saving them only if they constituted the correct pass phrase. This could be done either by looking for the keystrokes that typically precede the entering of the passphrase, or by continually testing a "window" of the last (1,2,...N) typed characters regardless of context. The former would work in a command line environment, the latter might be necessary in a GUI. The real-time testing would have to be done without raising suspicion, i.e., by noticeably lengthening the computer's response time. It would be interesting to see how fast such a routine could run on a typical PC. Still, the software/firmware approach does have the advantage of being less easily detected by a naive user than a hardware "bug". The average Windows user wouldn't have a clue as to how to look for cleverly hacked DLLs or system programs. However, if one does suspect a software "bug", then the countermeasures are pretty obvious. This would certainly explain the FBI's reticence to disclose the details. Tripwire-like mechanisms, improved physical security (e.g., keeping a laptop in a safe) and using IR motion detectors to silently log physical intrusions into the vicinity of the computer would all complicate the FBI's job. Anybody have any other ideas? Phil --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
