Beware of keystroke capture tools!
I want to remind folks of another _practical_ security weakness in using PGP or any other crypto program: keystroke capture utilities. These are small utilities (inits in Mac terms, perhaps TSRs in DOS terms, and who knows what in Windoze terms) that record all keyboard input. Very useful for recovering from crashes and such. These started in the Unix community, where I've forgotten the name ("history"?). In the Mac community, "Last Resort" has been doing this for a couple of years, and now several other packages offer similar capabilities (QuicKeys has "GhostWriter," or somesuch). Many's the time I've forgotten I had thse things enabled, only to find in my System Folder a folder marked "Saved Work" or the like, containing files of all the histories from each rebooting. The security risks are obvious: * passphrases (and perhaps even the original key generation process, in toto) are captured over and over again. * the stored history files may be tucked away in odd places on one's disk, on various backup tapes made, and so on. (Easily recoverable with search warrants.) * anyone with access to one's machine (a snoopy coworker, an employer, a spouse, even an NSA black bag job) can insert this harmless-looking utility and then pick up the results later. There are commands to bypass such keystroke capture--specifically intended to head off these breaches--but most people will forget sometimes, and may not even know the program is installed. (And there are at least 3 of these for the Mac, so confusion is increased.) This is a well-known security concern, but I thought it important to mention. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."
WfOn Fri, 1 Jul 1994, Timothy C. May wrote:
I want to remind folks of another _practical_ security weakness in using PGP or any other crypto program: keystroke capture utilities. I would be intersted in technical details of these for several machenes. I am interested in going around them. Code for these programs would be appreciated.
One really good way is to display the alphabet on the termanal, with mixed up character corispondence, done as a one-time pad. You then enter the char from the display and a spy would need to see your screen, and your keystroke record, and match them up. Roger, Mad Dog Libertarian, Bryner. ************************************** P.S. A very strong pro-Liberty candidate I worked for here just won their primary, in a region that goes in favor or her party.
participants (2)
-
Roger Bryner -
tcmay@netcom.com