For those who haven't seen it, there is an affidavit from the FBI at <http://www.epic.org/crypto/scarfo/murch_aff.pdf> (ref from schneier)
about the "keylogger" system the FBI used. I put "keylogger" in quotes because it's unclear if the "key" that's being logged is a keystroke or an encryption key - probably both. This is a very tricksy document, I have studied it hard and I'm still not sure what it says, however: (background: the FBI couldn't intercept his email with the warrant they had, so they couldn't use an ordinary keylogger) There were at least two "components" to the "keylogger" the FBI planted on Scarfo's computer. One was a "keystroke capture component" that couldn't record keystrokes when the modem was operating (there are hints that another "component", perhaps the one below, could record keystrokes entered into a window that was not using the modem when the modem was in use by another window). This doesn't seem to have recorded much, anything useful, or anything that looks like language, and it was probably meant to capture key material used by crypto programs other than PGP, which was the main target. Could be hardware but it "checked the status of each communication port" at every keystroke before recording it so I doubt it. Then again a software port scan at every keystroke might noticeably degrade performance. One puzzle is that if the ports reported inactivity then all keystrokes were recorded. I don't know about Scarfo, but I usually write email when disconnected to keep the phone bills down, there weren't any emails in the log presented to the Court, and the "keylogger" was in place for at least 14 days. The other and more worrying "component" picked up the PGP key Scarfo used - his father's prison number! - and virtually nothing else. It didn't capture keystrokes. Almost certainly it detected and captured only the PGP logon when the enter key was pressed, and it is almost certainly software. I don't know if Scarfo entered his PGP key more than once but apparently it only recorded it once. The PGP key information was at the end of the output presented to the Court so it may have stopped operation then, but the "keystroke capture component" should have continued to work if the overall design was good. Could it be remotely installed? Is this a serious security failure in PGP? The recent announcement by NA that they are looking for a buyer for PGP, at a time when it's value would be low anyway following the WTC attacks, may be relevant... -- Peter Fairbrother --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
