IBM Uses Keystroke-monitoring in NJ Mob Case (was Re: BNA'sInternet Law News (ILN) - 12/5/00)

[Tim May]

(dcsb and cryptography and other closed lists removed, for obvious reasons)


At 4:52 PM -0500 12/5/00, R. A. Hettinga wrote:
>
>Date: Tue, 05 Dec 2000 08:47:20 -0800
>From: Somebody
>To: "R. A. Hettinga" <rah at shipwright.com>
>Subject: Re: IBM Uses Keystroke-monitoring in NJ Mob Case (was Re:
>BNA'sInternet
>  Law News (ILN) - 12/5/00)
>
>An instructive case.  Apparently they used the keystroke monitoring
>to obtain the pgp passphrase, which was then used to decrypt the files.
>
>The legal fight over whether the monitor was legal and whether the
>information so obtained are in fact records of criminal activity is a
>side-show.  It remains practical evidence of how insecure computer
>equipment / OS's and pass-phrase based identity authentication combine to
>reduce the effective security of a system.


I fully support this comment that the whole issue of "legality"  is a 
"side show."


We've known that keyboard sniffers were a major issue for many years. 
I remember describing the sniffers ("keystroke recorders") which were 
widely available for Macs in the early 90s. Others cited such 
recorders for Windows and Unices.

We discussed at early CP meetings the issue, with various proposed 
solutions. (For example, pass phrases stored in rings, pendants, 
Newtons, Pilots. For example, zero knowledge approaches. For example, 
reliance on laptops always in physical possession.)

Frankly, the PGP community veered off the track toward crapola about 
standards, escrow, etc., instead of concentrating on the core issues. 
PGP as text is a solved problem. The rest of the story is to ensure 
that pass phrases and keys are not black-bagged.

Forget fancy GUIs, forget standards...concentrate on the real threat model.

--Tim May
-- 
(This .sig file has not been significantly changed since 1992. As the
election debacle unfolds, it is time to prepare a new one. Stay tuned.)