RE: Intercepting Microsoft wireless keyboard communications
When I looked at this circa 2001-2002, for another company, other 27MHz keyboards didn't even bother to encrypt. Most of the data was sent in the clear, with neither encryption nor robust authentication. Exactly what makes this problem so difficult eludes me, although one suspects that the savage profit margins on consumables like keyboards and mice might have something to do with it. Ian. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leichter, Jerry Sent: Friday, 7 December 2007 10:13 AM To: cryptography@metzdowd.com Subject: Intercepting Microsoft wireless keyboard communications http://www.dreamlab.net/download/articles/Press%20Release%20Dreamlab%20T echnologies%20Wireless%20Keyboard.pdf Computerworld coverage at http://www.computerworld.com/action/article.do?command=viewArticleBasic; articleId=9051480 The main protection against interception is the proprietary protocol, which these guys were able to reverse engineer. The exchange is encrypted using a Caeser cipher (XOR with a single byte that is the common key, which is the only secret in the system); they say they can determine the right key within 30 characters or so. Their current hardware can read the data from 33 feet away; with a better antenna, well over a hundred feet should be possible. These things operate at 27 MHz, which will penetrate walls easily. Reading multiple keyboards at once is possible and they already do it. They are looking at injecting data into the stream - presumably not very hard. Many other brands of wireless keyboard may well be equally vulnerable. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: How the Greek cellphone network was tapped.
2. E2E crypto on mobiles would require cross-vendor support, which would mean that it would have to go into the standard. Unfortunately, standards in the mobile world are heavily influenced by governmnets, and the four horsemen of the apocalypse (drug dealers, paedophiles, spies, and terrorists) are still being used by government types to nix any attempts at crypto they can't break or intercept. Handset suppliers are traditionally uncomfortable with licensing fees for non-core function. This is why, for example, memory card support has been needed for so long, but is a relatively recent phenomenon. The suppliers didn't want to pay licensing fees to the card standards bodies, despite the massively increased data storage needs which were coincident with the addition of camera functionality to phones. Crypto has been an IP minefield for some years. With the expiry of certain patents, and the availability of other unencumbered crypto primitives (eg. AES), we may see this change. But John's other points are well made, and still valid. Downloadable MP3 ring tones are a selling point. E2E security isn't (although I've got to wonder about certain teenage demographics... :) And don't forget, some of the biggest markets are still crypto-phobic. Every time I enter China I have to tick a box on the entry form indicating that I am not carrying any communications security equipment. When my GSM mobile roams onto China Telecom, the unlocked paddlock logo appears denoting that even A5/2 isn't allowed. Yet China has mandated full cellphone coverage, even in rural areas, and for companies like Motorola and Nokia, it's a must-own marketplace. Features which may worry the often inconsistent and capricious State Encryption Management Committee (SEMC), who can block the entry of your product into China, is going to be pruned from the product list pretty damn quickly. Ian. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Free Rootkit with Every New Intel Machine
Dave Korn wrote: Ian Farquhar wrote: Maybe I am showing my eternal optimist side here, but to me, this is how TPM's should be used, as opposed to the way their backers originally wanted them used. A removable module whose connection to a device I establish (and can de-establish, assuming the presence of a tamper-respondent barrier such as a sensor-enabled computer case to legitimize that activity) is a very useful thing to me, as it facilitates all sorts of useful applications. [...] If you can remove it, what's to stop you plugging it into another machine and copying all your DRM-encumbered material to that machine? It's supposed to identify the machine, not the user. Sounds to me like what you want is a personally identifying cert that you could carry around on a usb key... Nothing, but you missed my point. I'm not interested in the DRM functionality, or user-removability. My point was to look beyond that original remit. Specifically, a module which supports authenticated physical removal (with a programmed tamper response) *is* useful, especially for server applications. (*) Smartcards and secure USB devices might be useful for other applications, but not the one I was describing, because they lack a tamper response. Note I'm also saying programmable tamper response. Although I like the idea of wiping keys on tamper response, it's not necessarily the ideal response. A better possibility (in certain circumstances) is the device entering a lockdown mode with selected and modelled reduced functionality. Examples of such circumstances are where the tamper might be triggerable maliciously, thus facilitating a DoS attack against the service. Ian. (*) And isn't it interesting how so many desktop systems are now starting to run application mixes which really look like servers? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Free Rootkit with Every New Intel Machine
It seems odd for the TPM of all devices to be put on a pluggable module as shown here. The whole point of the chip is to be bound tightly to the motherboard and to observe the boot and initial program load sequence. Maybe I am showing my eternal optimist side here, but to me, this is how TPM's should be used, as opposed to the way their backers originally wanted them used. A removable module whose connection to a device I establish (and can de-establish, assuming the presence of a tamper-respondent barrier such as a sensor-enabled computer case to legitimize that activity) is a very useful thing to me, as it facilitates all sorts of useful applications. The utility of the original intent has already been widely criticised, so I won't repeat that here. :) It also shows those interesting economics at work. The added utility of the TPM module (from the PoV of the user) was marginal at best despite all claims, yet it facilitated functionality which was contrary to most user's interests. The content industry tried to claim that the TPM module would facilitate the availability of compelling content - which they tried to sell as it's user utility - but like most of their claims it was a smoke and mirrors trick. Consequently, the razor-edged economics of the motherboard and desktop industry has comprehensively rejected TPM except in certain specialized marketplaces where higher profit margins are available (eg. Servers, corporate desktops). The chipset manufacturers have also failed to add this functionality to their offerings to date. Now Vista has added Bitlocker, which arguably adds a user valuable feature for which a TPM module is needed (yes, you can run it without TPM, but it's painful). I wonder if we'll start to see more TPM connectors appearing, or even full TPM modules on motherboards and cores on south bridge dies? Personally, I'd like to see a TPM implemented as a tamper-respondent (ie. Self-powered) module mounted on the motherboard in a socket which allows removal detection. That way you get the flexibility of moving the module, with the safety of a programmed response to an unauthorized removal. Ian. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Free Rootkit with Every New Intel Machine
I agree with Peter here. I also tried to procure a motherboard with a TPM chip - to play with Bitlocker mostly - and came to the same conclusion. I did find a few MBs, mostly from Intel, and a couple of other vendors. All of these were corporate-style MB's, as opposed to the gamer/enthusiast style I needed. For example: the Gigabyte GA-965QM-DS2 (rev 2.0) which features security enhancement by TPM. More common (ASUS, Foxconn) was the TPM Connector, which seemed to be a hedged bet, by replacing the cost of the TPM chip with the cost of a socket. I also went looking for a TPM on some other delivery mechanism (USB stick? PCI card? Anything...) but didn't turn anything up I was actually able to purchase at the time (but maybe not now - see the BCM5751 below). There's a slightly out of date matrix of products here: http://www.tonymcfadden.net/tpmvendors_arc.html I too have heard rumors of TPM functionality being included in either North or South Brigdes, but I haven't seen that happen yet (aside from Intel, few vendors release detailed chipset datasheets anyway). Winbond do have a Trusted IO series of chips which are basically LPC controllers plus the TPM chip (all now not recommended for new designs), and Transmeta did embed the TPM in the TM5800. Apparently Broadcomm also did embed a TPM on their BCM5751 and BCM5751M ethernet controllers. Interestingly, you will find the BCM5751 on several high end motherboards, but the presence of TPM functionality isn't often mentioned. Riii :) Apple is one vendor who I gather does include a TPM chip on their systems, I gather, but that wasn't useful for me. Ian. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Gutmann Sent: Saturday, 23 June 2007 10:49 PM To: [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Free Rootkit with Every New Intel Machine [EMAIL PROTECTED] writes: my understanding from a person active in the NEA working group (IETF) is that TPMs these days come along for free because they're included on-die in at least one of said chips. Check again. A few months ago I was chatting with someone who works for a large US computer hardware distributor and he located one single motherboard (an Intel one, based on an old, possibly discontinued chipset) in their entire inventory that contained a TPM (they also had all the ex-IBM/Lenovo laptops, and a handful of HP laptops, that were reported as having TPMs). He also said that there were a handful of others (e.g. a few Dell laptops, which they don't carry) with TPMs. I've seen all sorts of *claims* of TPM support, but try going out and buying a PC with one (aside from IBM/Lenovo and the handful of others) - you have to look really, *really* hard to find anything, and if you do decide you specifically want a TPM-enabled MB or laptop you're severely restricting your options (unless it's a Lenovo). Unless something truly miraculous happens, TPMs are destined to end their lives as optional theft-discouragement gadgets for laptops (assuming they're running Windows XP, or possibly Vista if you can find the drivers). They've certainly failed to make any impression on the desktop market. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Was a mistake made in the design of AACS?
On Thu, May 03, 2007 at 10:25:34AM -0700, Steve Schear wrote: Well, there's an idea: use different physical media formats for entertainment and non- entertainment content (meaning, content created by MPAA members vs. not) and don't sell writable media nor devices capable of writing it for the former, not to the public, keeping very tight controls on the specs and supplies. [...] Sony's UMD format is an example of this approach. I doubt even the most reality-disconnected marketeers in Sony could call it anything but an abject failure. I also doubt any company other than Sony - which has a long history of believing it can control the delivery format - would have even bothered. Ian. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: padlocks with backdoors - TSA approved
Some of the locks have special indicators which flag that a TSA key has opened it, which marginally improves the idea, but not by much. Whether those flags could represent a defence in the case of a corrupt official in possession of TSA keys I do not know. Without such flags, it's an INCREDIBLY unwise idea, as if you keep the bag unlocked, at least you have a defence that handlers could have added items to the luggage in transit. Some readers will have heard the case of Schapelle Corby, who is serving a 20 year sentence in Indonesia for trafficing marijuana. In the ensuing investigation, a significant amount of evidence was uncovered suggesting that corrupt baggage handlers were trafficing drugs between Australian airports, using unlocked baggage. Corby's laywers claimed that she was the victim of this, and that the destination baggage handler failed to intercept the drugs which were planted in her luggage. I won't make a comment on the conduct of the agencies, the media and governments involved in the Corby case. However, I will say that any government (or other) program which assumes the honesty of employees and contractors is fundamentally flawed, and any associated risk analysis is either incompetent, or in failing to identify risk to travellers, seriously incomplete. Ian. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hadmut Danisch Sent: Tuesday, 27 February 2007 7:20 AM To: cryptography@metzdowd.com Subject: padlocks with backdoors - TSA approved Hi, has this been mentioned here before? I just had my crypto mightmare experience. I was in a (german!) outdoor shop to complete my equipment for my next trip, when I came to the rack with luggage padlocks (used to lock the zippers). While the german brand locks were as usual, all the US brand locks had a sticker Can be opened and re-locked by US luggage inspectors. Each of these (three digit code) locks had a small keyhole for the master key to open. Obviously there are different key types (different size, shape, brand) as the locks had numbers like TSA005 tell the officer which key to use to open that lock. Never seen anything in real world which is such a precise analogon of a crypto backdoor for governmental access. Ironically, they advertise it as a big advantage and important feature, since it allows to arrive with the lock intact and in place instead of cut off. This is the point where I decided to have nightmares from now on. regards Hadmut - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: cellphones as room bugs
The other problem for this technique is battery life. Let's assume we can shove a firmware update/hack/whatever into the phone to enable snooping, it's still transmitting when acting as a bug. Even if this feature is only enabled when the phone is geolocated somewhere interesting, the reduction in battery life is going to be significant. If your phone has a standby time of days, and you're used to shoving it on the charger rarely, then suddenly you're doing it several times a day, you're going to notice. Even if you are the dumb, stupid criminal the government likes to tell us that surveillance always catches. I suppose that it could be argued that you could use silence detection etc. to reduce power used, but most phones are pretty aggressive at power saving already. I doubt there are huge savings to be made which haven't been implemented already. Ian. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Taral Sent: Monday, 4 December 2006 2:26 PM To: [EMAIL PROTECTED] Cc: John Ioannidis; cryptography@metzdowd.com Subject: Re: cellphones as room bugs On 12/3/06, Thor Lancelot Simon [EMAIL PROTECTED] wrote: It's been a while since I built ISDN equipment but I do not think this is correct: can you show me how, exactly, one uses Q.931 to instruct the other endpoint to go off-hook? That's the same question I have. I don't remember seeing anything in the GSM standard that would allow this either. -- Taral [EMAIL PROTECTED] You can't prove anything. -- Gödel's Incompetence Theorem - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]