Sealing wax & eKeyboard

Tyler Durden camera_lumina at hotmail.com
Wed Jul 16 06:33:56 PDT 2003 

This reminds me of another thing that occurred to me, but as I'm no computer 
engineer I can't tell how much of a defense it would be. (At the very least 
a nice stopgap for a while...)

To get around keystroke loggers, it would be nice to have some fom of 
onscreen keyboard, perhaps available over the web. The keyboard would likely 
work only with the mouse (making it slow to use, of course), and each time 
the keyboard appears (and at periodic intervals) the keyboard scrambles its 
keys.


I suspect it would be MUCH harder to figure out what has been typed.

-TD


>From: Tim May <timcmay at got.net>
>To: cypherpunks at lne.com
>Subject: Sealing wax
>Date: Tue, 15 Jul 2003 12:08:20 -0700
>
>On Tuesday, July 15, 2003, at 09:05  AM, Major Variola (ret) wrote:
>
>>At 09:29 AM 7/15/03 -0400, Sunder wrote:
>>>So, the best way to avoid that situation and not being able to reach
>>the
>>>big red switch, is simply not to attract their attention in the first
>>>place by not following the footsteps of Jim Bell.  :)
>>
>>Stego + broadcast is indeed your friend.
>>
>>>A more likely, and far more important, scenario to worry about is the
>>>black bag job whereby a hardware keystroke recorder can get installed
>>>without your knowledge...
>>>
>>>There may be ways to prevent/detect this...  Software (open or closed
>>>source) alone won't help very much.
>>
>>Epoxy and other conformal coatings are also your friends.
>>
>
>Thinking about this brief comment, I assume MV means sealing a PC to make 
>black bag opening more apparent.
>
>But this suggest a return to _sealing wax_. Seriously.
>
>A dab of sealing wax (available in most stationery stores, save for 
>Staples, Office Depot, OfficeMax, Paper Barn, StaplerWorld, Nothing But 
>Rubber Bands, and other warehouses masquerading as stationery stores) over 
>the side panels and other access points, even over the floppy and CD-ROM 
>ports (carefully!), and a distinctive signet ring or other such seal-making 
>device could be quite easy to use.
>
>(As we all know, CIA and other spook agency "flaps and seals" specialists 
>are well-versed in duplicating such seals...but probably only after 
>collecting good information. An FBI black bag job is likely to encounter 
>the sealing wax and seal and be unable to duplicate it. There may be tools 
>now to take a fairly good impression, perhaps with a fast-setting polymer, 
>and then make a convincing duplicate of the seal. All crypto is economics, 
>though, and simple seals probably work against most attackers.)
>
>There are other methods:
>
>-- keep key material on a USB or PCMCIA flash card dongle.
>
>-- wear this around your neck or otherwise make it secure against 
>girlfriends, wives, others who may try to copy it
>
>-- use a small handheld PC (like the HP machines) or Palm OS device as the 
>"front-end" for security apps: at the simplest level, use it to store very 
>long keys which don't get typed-in, but instead are cut-and-pasted in a way 
>to bypass the keyboard driver completely.
>
>Note: It is common in military crypto for their to be different levels of 
>"security tokens" to increase physical security. Rarely are the keys to the 
>kingdom gotten merely by sitting down and typing stuff into a computer. For 
>one thing, this encourages people to get lazy and write the passwords and 
>keys down on Post-It notes or on pieces of tape stuck to the underside of 
>paperclip holders or other entropically-obvious things. For another thing, 
>it makes remote attacks or keystroke logging much more of an attack mode. 
>Finally, the rigamarole or ritual of having physical tokens on chains 
>around one's neck tends to make the process of security seem more serious, 
>which can cause more care to be taken.
>
>(All of this slows down the process. The rigamarole that a shipboard crypto 
>shack will put up with is not the same as what Joe Sixpack will put up, as 
>we all know. RSA-like crypto makes crypto a lot less expensive to deploy, 
>but it's wrong to think it makes it a no-brainer, point-and-click 
>process....except in things like SSL, where it does a specialized job 
>without human involvement.)
>
>-- the usual point about having a network with a secure machine locked up 
>very well in a closet or safe (I have a large gun safe, which I usually run 
>a small heating element into to prevent condensing conditions...I have 
>toyed with the idea of  putting a small PC running on 25-40 watts, or less, 
>into this gun safe, with only a power cord and Ethernet wire coming out).
>
>-- and the usual point about having cameras watching the areas where the 
>PCs and keyboards are located.
>
>(Yeah, maybe the black bag types can find and disable the cameras, but then 
>Alice knows something unusual happened. But odds are pretty good they 
>_can't_ find all of the cameras or microphones or sensors, especially in a 
>building with many PCs and wires and other gadgets. They can cut the power, 
>but smart folks have things on battery backups, or self-powered, or on 
>laptops left plugged-in and able to run for 3-4 hours without AC power, 
>etc.)
>
>Were I setting up such a system, all sorts of inexpensive ideas suggest 
>themselves.
>
>By the way, I recommend the novels of Thomas Perry, especially "Pursuit," 
>"Vanishing Act," and his others in the "Jane Whitefield" series. All four 
>novels of his I have read so far deal centrally with issues of people 
>trying to escape those tracking them, kind of a private version of the 
>Witness Security Program (popularly called "Witness Protection"). The 
>novels are filled with good ideas, and a few glaring misses, about changing 
>identity, avoiding patterns, etc.
>
>If there's a weakness in his novels, it's that not enough modern technology 
>is used. I cringe when I see his characters not even using 
>readily-available throwaway cellphones to stay in contact, or not even 
>setting up Hotmail accounts to communicate. (He favors postal dead drops, 
>which in at least one of the novels allows an attacker to find out the home 
>and name of another....a determined opponent, like the government, would 
>know the names and addresses quickly.)
>
>Still, his series fits with the kind of security awareness and 
>hypervigilance we often discuss.
>
>
>--Tim May

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus

More information about the cypherpunks-legacy mailing list