FBI software cracks encryption wall

MSNBC ^ | November 20, 2001 | Bob Sullivan

[tacticalogic]

Surely they have a solution to the "cut & paste," ya think?!

Cut and past would get around the key logging software, but would require that you have the encryption keys stored in a file on the computer to cut and paste from. If they can find that file, they don't need the key logging software.

[Brookhaven]

All of this is easier said then done.

For every FBI hack out there, there are 1000 hackers who will spot the FBI code and come up with ways to foil it.

[Poohbah]

Actually, the best way to defeat this is to design PGP to crash the instant it's opened on a Magic Lantern-infected box.

[Nita Nupress]

<< "Actually, they do--because they don't count actual keystrokes, they parse the value entered into the user ID and password fields, regardless of source--just like Windows does." >>

What's the definition of "parse the value?" Are you saying each character on a keyboard has a value that can be read even after being CNTL/V'd onto a screen?

[Mat_Helm]

Bwah hah hah ha........ahah!

[Nita Nupress]

Cut and past would get around the key logging software, but would require that you have the encryption keys stored in a file on the computer to cut and paste from. If they can find that file, they don't need the key logging software.

This is possibly the only time in a woman's life where something being described as "floppy" would be a good thing. ;-)

[The Duke]

Why not just have the virus "patch" PGP?

"Encryption keys are unbreakable by brute force,..."

The author lost all credibility with me at this point.

[Poohbah]

No, the entire password input box contains a value, such as "t4@!dd_KqZ$h" (if the user has a strong password) or "password" (if the user is an idiot). That value is passed into the PGP program through a standard Windows Foundation Class library function call. It sounds like the Magic Lantern software grabs that value and copies it to its own buffer. Keystroke logging takes entirely too much memory--suppose it was a guy composing an opus which would take ten pages to print out before hitting "ENCRYPT." Also, the cut-paste would be an easy dodge--so the FBI would look for a way around it before anyone else would think of it.

[oc-flyfish]

Laptop or second pc running Linux, and not connected to the internet, with the encryption software on it. Encrypt, then sneakernet to the internet connected computer for transmission. Duh.

Damn, you just defeated the FBI! :-)

[Nita Nupress]

Thanks.

[tacticalogic]

This is possibly the only time in a woman's life where something being described as "floppy" would be a good thing. ;-)

There are rare occasions when floppy is better, as anyone who's had to roll up a garden hose in the winter will attest to.

[oc-flyfish]

Yes, you are probably right. Also, they can "hide" the program so it doesn't show up under task manager so you don't know that it is running.

As for AV software... if they were in bed with the FBI then they wouldn't make it part of their pattern files.

[rdb3]

I agree. This reminds of of the file sharing/swapping software out today.

Once the genie has been let out of the bottle, there's no putting it back.

[Poohbah]

Might be able to hide it in the home versions of Windows...but would they be able to do that in the NT/2000 variants?

[logos]

What about the "hushmail" program, where the passphrase is generated by passing the mouse over a hidden grid? Is that a more difficult system to "break"?

[Poohbah]

The grid can't be TOO hidden, and neither can the passphrase.

[SSN558]

I don't know a whle lot about hacking but....isn't this old technology ? Back when corporate America was into counting key strokes AutoCad had a lisp that would log your keystrokes. I used to disable it to conserve memory and increase the speed of the machine.

[greasepaint]

A few security tips.
Use the Zonealarm firewall (free for personal use), or something similar.
Avoid Microsoft products.
Binary (non-text) files sent by email are a major security risk...
Avoid or minimize their use. Do not accept a non-text file from someone
you don't know, and then only with a reason to do so.
Be careful with email attachments.
Older, or text-only email readers, are more secure than new email readers.
IMO, every new feature is a security risk.

[Psycho_Bunny]

You don't need Windows for that...It could be done on any platform.

[logos]

Sorry. Sloppy choice of words on my part. Rather than being hidden, the grid from which the passphrase on "hushmail" is generated is a "blind" grid. Would this Magic Lantern softward be able to pick that up - not even the user knows what his passphrase is in this system.

You're absolutely right that nothing can be "TOO hidden;" any security system that one person can devise, another person can break, given sufficient time and motivation.