-----Original Message----- From: Tim May [mailto:tcmay@got.net] Sent: Monday, November 26, 2001 1:13 PM To: cypherpunks@lne.com Subject: Antivirus software will ignore FBI spyware: solutions Some interesting tips (bottome of this message) for detecting FBI/SS snoopware that NAI/McAfee is now assisting the FBI in installing. I especially like the idea of "type hundreds of random key strokes and see which files increase in size." (Or just look for any file size changes, as most of us type tens of thousands of keystrokes per day.) The mathematical side of most encryption is vastly stronger than the "crypto hygiene" side. There's a reason "code rooms" and "crypto shacks" on military ships and bases have lots of hoops to jump through, with locked boxes, double-keyed switches, controlled access, etc. Most users of PGP take no steps to secure key materials. (I plead guilty, too.) Most of us are used to immediate access, and we want crypto integrated with our mail. The notion of going to a locked safe, taking out the laptop or removable hard drive, ensuring an "air gap" between the decoding system and the Net, and checking for keyloggers and hostile code, and so on, is foreign to most of us. The "dongle" idea (e.g., Dallas Semiconductor buttons, etc.) has been around for a long time. Here's a new twist: the Apple iPod music player. I just got one. A 4.6 GB hard disk (Toshiba 1.8"). Hooks up via Firewire/IEEE 1394, with the link recharging the battery and auto-linking. The disk can also be mounted as a standard Firewire disk. Meaning, it could be used to store key material and even be used for PGP scratch operations. The increased security comes from its small size (easy to lock up) and because I usually have it with me when I am away from home. This makes "sneak and peek" searches and plants of malicious code less useful. Not a complete solution. Crypto hygiene and all. -----End Original Message----- An even better solution: a USB compact flash card reader. $30 at CompUSA or other fine electronics retailers, and $20 or less for a 16 MB compact flash card. This way more space than any normal person is going to need for PGP keyrings, with enough room left for your randseed file and other stuff like that, and at a price ($50 or so) that most anyone can afford. It is also transportable from computer to computer, so you could use it sneakernet style if you wanted to, especially if you get more/larger cards. 256MB cards are available for about $200, and a 1GB Microdrive runs around $400. Either of these could be carried in various orifices in extreme circumstances. :-)