How to defeat spyware
Tim May
tcmay at got.net
Mon Jan 7 20:29:43 PST 2002
On Monday, January 7, 2002, at 07:31 PM, Dr. Evil wrote:
> ...
> Yeah, that proposal (snipped above) would definitely defeat the plain
> old BIOS keyloggers. How sophisticated is the FBI stuff? Let's make
> some reasoned speculation.
>
> Most of their targets aren't going to be super-sophisticated hackers
> who will do those kind of things. The FBI has a whole bunch of tools
> which they use to achieve their goal (get the conviction, etc).
> Generally, they don't need any one of those tools to be perfect. The
> plain old keystroke logger would work in most cases, probably.
> However, that is not the end of the story...
All security is economics. Move-countermove, defense-offense, etc.
That basic keystroker loggers is "good enough" to get "most" of what
they want is not surprising. Pareto tradeoffs apply.
Higher security costs. Comments to follow.
>
>> Selecting letters with a mouse on the screen also bypasses the
>> keyboard.
>
> Ouch! That might work for occasional short messages, but for daily
> use?
I mostly meant for PGP passphrases, to decrypt a series of incoming
messages. Though if they can keystroke log, all messages written by the
target are vulnerable. No, I wouldn't suggest composing long messages
one letter at a time. (Though the most sensitive of all messages are
likely to be brief, a la the cononical "Attack at dawn.")
A sufficiently worried person could use a scanner, either typing a
message on a typewriter and then OCRing it, presumably beyond the
ability of keystroke loggers to see, or just doing an image scan of a
handwritten note and then PGPing that.
At this level of worry, there are probably easier technological
solutions, such as: using a Palm or other handheld for critical typing,
using a second machine kept locked up (*), putting a laptop in a bag and
then sealing it with sealing wax (hard for black baggers to duplicate on
the spot), the dongle idea, removable disk drives, etc.
All security is economics. When the U.S. Navy uses secure communications
to communicate with a ship, they don't just have a guy sit down at a
laptop and fire up PGP. They have nested security layers, including
controls on access to the "crypto shack," layers of keyed access to
crypto materials, and air gaps between machines and other parts of the
system. All of this takes time to set up, training for the personnel (my
condolences to them, as this is often drone work), and lots of
bureaucracy.
Almost everyone here is smart enough to realize that a lot of the jive
about RSA taking all the computer power in the universe to crack (and
then some, for large enough numbers) means nothing if key material has
been compromised, if Van Eck radiation is being used to monitor
equipment, and so on.
The graph I always like to use is with "value of thing being protected"
on the X-axis and "costs to use protection" on the Y-axis.
Something that could land one in prison for 10 years, or worse, clearly
jusitfies using very good crypto hygiene, that is, spending a fair
amount of time and effort to ensure good security.
Getting all traffic in PGP form, including mattd's and Choate's
forwarded articles, clearly cannot justify the same level of care.
The "one size fits all" approach of a "1024-bit key" is misleading. (I'm
not saying that the important thing is to vary key lengths. In fact, may
as well just standardize on 2048-bit keys or even larger. What I _am_
saying is that the whole PGP approach encourages people to think in
terms of just using PGP...instead of using a layered approach.
Seen this way, RSA/PGP is just one particular component of a larger
system.
Of course, selling this to the world is tough, as people want immediate
gratification and ease-of-use. This is where "rolling your own" makes
some sense, as the underlying mathematics is solid, but the crypto
hygiene of using dongles, locking up laptops in safes, etc. is enough to
stop many of the "sneak and peek" attacks.
> Bottom line: I don't have any knowledge of what the FBI actually does,
> but there are off-the-shelf commercial things out there which defeat
> what you described, so it's safe to assume that the FBI has something
> like that if they feel they need it.
Meta-bottom line has always been: if the adversary can get access to
your hardware, all bets are off. Morris showed this many years ago with
compilers. Hence the approach of using PDAs or removable disk drives
(flash, iPod, Dallas Semiconductor buttons) which make it much tougher
for the FBI to compromise.
> Bottom line 2: You need to have a tamper resistant system if you are
> faced with an attack from the FBI hacker team. Fortunately, in this
> case tamper resistance is pretty easy. Get yourself a webcam. I
> don't think many Mafiosos are sophisticated enough for this, or they
> probably would have found some other line of work.
We've talked a bit about deploying Webcams (with offsite or well-locked
storage) for logging entries, etc.
A cluster of several of them, some of them monitoring a system, some of
them doing conventional burglar work, could be very useful. X10 wireless
cams are down to just $50 each. Various strategies are obvious for how
to use them:
1. Just leave them on and logging. Very tough for the guys in black to
reproduce a plausible sequence which erases themselves from the archive.
Just seeing the webcams aimed at the computer, with wires going off into
a closet, may be enough to scare them off. (Have a pinhole webcam
monitoring the entire room, too.)
2. Send the signals to a computer in a locked room, or just the archived
images to a small disk drive inside a vault or safe. (One of my Firewire
drives inside my gun vault, for example.)
3. Offsite storage is possible. Or a machine hidden in a closet or
crawlspace and communicating via 802.11b. (On a battery backup in case
they cut the power first.)
(This is a variation on Brin's camcorder and escrow system.)
The point is not to get too cute. Start talking about storing the images
on an offshore platform and the scheme gets too complicated to use. A
simple X10 camera system feeding a bottom-end PC and then
802.11b-broadcasting to another PC seems quite feasible. And if you do
it yourself, with no "security consultants" involved, pretty hard for
the FBI to bypass.
Again, all security is economics. Having an unsecured machine sitting
around in an office with PGP installed on it is at one extreme
(regardless of the strength of RSA qua RSA), having a machine inside a
secured room with webcams aimed at it and with removable disk drives and
"mouse entry" methods to obscure keystrokes, all inside a Faraday cage,
is nearly at the other extreme.
How much one wants to spend depends on what one is protecting.
--Tim May
"That government is best which governs not at all." --Henry David Thoreau
More information about the Testlist
mailing list