Antivirus software will ignore FBI spyware: solutions

Tue Nov 27 10:06:04 PST 2001

On Mon, 26 Nov 2001, Tim May wrote:

> On Monday, November 26, 2001, at 11:49 AM, Sunder wrote:
> 
> > 	a. It may use your OS to hide the key capture log, so you
> > 	   won't be able to just watch files.  Think of a kernel patch
> > 	   that removes all references to a specific file, not just
> > 	   sets it to be hidden.
> 
> Yes, but this is probably beyond current and foreseeable attacks. I 
> don't dispute that all sorts of advanced attacks are possible, just that 
> the fixes this guy suggested are "much better than doing nothing."

Sure, doing something is better than doing nothing, and it all boils down
to your threat model, as usual.  However, with the heightened 911 crap, it
seems these guys will do nearly anything to get the bad guy -- I wouldn't
put it past them to beat the shit out some one who just so happens to be
of arab descent until they sign a confession.

But one has to consider several factors in building a threat model
including: Why do I want to encrypt my hard drive?  Why do I want to
encrypt my emails?  How much attention am I attracting by starting to use
PGP now versus pre 911?  Can I communicate securely by means other than
email?

Of course the cypherpunk answer is you should always encrypt everything
all the time, but if you haven't do so up until this point, is it worth
getting probed by the Feds?  Maybe it is if they have nothing on
you or you expect them to have little reason for fucking with you.

If you're of arabian descent, using PGP might just buy you a ticket to one
of those fancy new fangled jails where they don't let you have reasonable
access to a lawyer, a sweater, or much else among the company of the other
1100 or so suspected terror mongers.

On the other hand, if you're a known cypherpunk and have used PGP in the
past, this won't attract too much extra attention.

>From what I've read in various articles the terror mongers didn't use the
internet for much, just had face to face meetings, etc.  So of course the
use of spyware bugs and carnivore is simply an opportunistic grab at
power.  But so were the Jim Bell and Toto arrests.

The question isn't what have you or I or Joe Sixpack to hide as much as
what do the Feds think you have to hide, and is it worth it to attract
their attention.  If you're willing to attract their attention, do you
have the technical means to thawart and detect their intrusion, do you
have the legal (and by implication money to buy legal) means, etc.

The technical stuff is fairly easy if you think it through, but
difficult/expensive to implement well.  Find all the holes and close them,
and should they use black bag ops, set up ways to detect them. The legal
means have now changed.

> Even _secure_ OSes (KeyCOS, for example) are vulnerable to attacks
> when physical access is gained...doesn't make it easy, though.

Absolutely.  You can close most of the holes.  You can make the ones you
can't close harder to use by alarming them and watching them alarms
closely.

> > 4. If you live in a crowded area, your iPod can be lifted off you
> > in a false mugging, or break in, pick pocketting while you're at a
> > restaurant, movie, etc.
> 
> This implies a level of surveillance/commitment beyond what most FBI 
> attacks are at.

Doubtful. They've install key catcher hardware in lots of computers to get
spies and mobsters before.  The treasury guys installled a gps tracker 
in Jim Bell's car, etc.  All these imply black bag jobs are not beyond
them at all.

> More importantly, theft of my iPod would then trigger certain actions. 
> Cancelling my existing key and generation of a new one.

Sure, but that would be useless for past communications.  If they've
copied your emails before, and now have the key, they have what you wrote
and what you've read.  They don't have future writings, but once they've
broken in to your machine, you can assume they own it.  Depending on how
the bug is installed, simply wiping it might not be enough.

> All of these kinds of "they've got your hardware" attacks are present 
> with nearly all systems. All require more work than the simple insertion 
> of a keystroke logger involves. It's all measures and countermeasures.

Yup.  Again, back to the threat model. :)