Over at News.com, Declan McCullagh has been following a recent court case that offers a rare peek into how some fed agents conduct digital investigations when a suspect uses encryption> First, break into the suspect's home or workplace, then implant keystroke-logging software on their computer, then step back and spy. Snip:
An agent with the Drug Enforcement Administration persuaded a federal judge to authorize him to sneak into an Escondido, Calif., office believed to be a front for manufacturing the drug MDMA, or Ecstasy. The DEA received permission to copy the hard drives' contents and inject a keystroke logger into the computers.
That was necessary, according to DEA Agent Greg Coffey, because the suspects were using PGP and the encrypted Web e-mail service Hushmail.com. Coffey asserted that the DEA needed "real-time and meaningful access" to "monitor the keystrokes" for PGP and Hushmail passphrases.
Link with related DEA PDF documents here and here. Related item on Declan's Politechbot list from 2000: Link. And a related 2001 item in Wired "about how one antivirus company reportedly contacted the FBI and pledged not to detect malicious fedware" — Link.
On Politech, Declan writes:
It seems that spyware and key loggers are far more advanced and commonplace today than they were six years ago, as are anti-spyware tools. I wonder if the FBI could seek a court order requiring an anti-spyware company not to report fedware (as in, fedware would be whitelisted if detected and the customer would not be alerted).
Anyone worried about this could always run free software, where the risk to a user would be lower. (Yes, I know, the compiler could be compromised or a clever and subtle backdoor in the source not detected, but it's still less risky if that's the threat model.)
Reader comment: G1ZM0 says
This article about keyloggers has a section about preventing keystroke capture that suggests virtual (on screen) keyboards may be a way to prevent capture.
On-screen keyboards are not safe from keyboard logging either, they just require more specialised loggers: Link.
The suggestion that a screen keyboard can be used as a 'safe' method
is flawed; banks have been using screen keyboards for a little while,
and crackers adapt by capturing the entire screen into a video file.
The Cult of the Dead Cow's Backorifice security software suite has had
this capability for some years now.
Ironically, maybe the only way you'll be able to trust your operating
system in the future is through the use of DRM mechanisms like the
Trusted Platform Module (TPM)? Or you could just be ever vigilant.
Oakley Networks (Link) recently demo'ed their products for the concern I work for. One of them is like a keylogger on steroids. It captures a movie of the subject's computer screen (and all web sites and data, etc.). The technical rep bragged that their products are used by all of the three letter government organizations. They said that none of the virus scanners found their product, except for Microsoft's. He said they talked to Microsoft and it no longer detects the Oakley networks stuff anymore. P.S. Boing Boing is at the top of my RSS feeds!