(dcsb and cryptography and other closed lists removed, for obvious reasons) At 4:52 PM -0500 12/5/00, R. A. Hettinga wrote:
Date: Tue, 05 Dec 2000 08:47:20 -0800 From: Somebody To: "R. A. Hettinga" <rah@shipwright.com> Subject: Re: IBM Uses Keystroke-monitoring in NJ Mob Case (was Re: BNA'sInternet Law News (ILN) - 12/5/00)
An instructive case. Apparently they used the keystroke monitoring to obtain the pgp passphrase, which was then used to decrypt the files.
The legal fight over whether the monitor was legal and whether the information so obtained are in fact records of criminal activity is a side-show. It remains practical evidence of how insecure computer equipment / OS's and pass-phrase based identity authentication combine to reduce the effective security of a system.
I fully support this comment that the whole issue of "legality" is a "side show." We've known that keyboard sniffers were a major issue for many years. I remember describing the sniffers ("keystroke recorders") which were widely available for Macs in the early 90s. Others cited such recorders for Windows and Unices. We discussed at early CP meetings the issue, with various proposed solutions. (For example, pass phrases stored in rings, pendants, Newtons, Pilots. For example, zero knowledge approaches. For example, reliance on laptops always in physical possession.) Frankly, the PGP community veered off the track toward crapola about standards, escrow, etc., instead of concentrating on the core issues. PGP as text is a solved problem. The rest of the story is to ensure that pass phrases and keys are not black-bagged. Forget fancy GUIs, forget standards...concentrate on the real threat model. --Tim May -- (This .sig file has not been significantly changed since 1992. As the election debacle unfolds, it is time to prepare a new one. Stay tuned.)