19 December 2000. Additional contributions welcomed. Send to: jya@pipeline.com

See related reports and court filings on an FBI break-in to install a keyboard logger to get around use of PGP by the victim.

Date: Mon, 18 Dec 2000 23:23:22 -0800
To: "PFSanta Claus" <pf_santa@hotmail.com>, cypherpunks@toad.com
From: Bill Stewart <bill.stewart@pobox.com>
Subject: Re: keyboard loggers.

At 12:05 PM 12/18/00 -0900, PFSanta Claus wrote:

>    I came across your addies in a search off ask Jeeves and thought perhaps
>due to the way your interests run you might be up on this topic. I'm a Sr.
>Support Analyst for a large vendor and recently was asked by one of my
>casual internet contacts if there was a way to prevent a "keyboard logging"
>surveillance program from prevailing on their system and reporting the
>goings on from their keyboard. In an effort to be helpful, I set about my
>normal pattern of research and found that there seems to be a ton of info
>promoting various products, yet there is virtually nothing I could find
>which offers any realistic or reliable countermeasures that can be taken to
>prevent someone from logging the output from your keyboard. Even the hackers
>seem to think it isn't a threat to anyone's privacy. Weird...

If you have to worry about people installing keyboard logging programs on your machine without your permission, either

- you're using a public shared machine at a coffeeshop or school or Kinko's to do things you think need security, or

- you're using your employer's machine, and shouldn't do things that are inappropriate to do at work,

- you're using your employer's machine, and need a new employer who trusts his employees instead of feeling compelled to spy on them,

- you're using your employer's machine, and your employer has a serious security problem with people trying to crack in at night,

- you're sharing your home machine with a teenager who runs all sorts of game programs downloaded off the net or borrowed from friends, viruses and all,

- you've got serious security problems of your own - if they can sneak in and install programs like that, they can install anything else they want, copy your hard disk, probably even steal your hard disk, or

- the paranoids really are out to get you.

For the shared-machine problem, don't use insecure machines to do secure stuff.  Use disposable email accounts, American Express one-shot credit card numbers, and if you must log in to something, use one-time passwords (either S/Key or SecureID tokens or some similar mechanism.)

There's been some work done on encryption programs that run in hand-held computers, whether Palm Pilot things with displays or JavaRings or smartcards without them.  Matt Blaze, Ian Goldberg, and Martin Minow have done presentations on those topics.

I'll leave you to figure out employer problems, and there are professionals who can help with paranoia, as long as you get to them before the Feds get to you.

One approach for the teenager problem (or the related problem of machines for lab use, especially firewall research) is removable disk drives.  You can get disk drive drawers for IDE/Ultra/DMA/etc for about $20, and spare disks are only $100 or so. Keep a clean copy for installing software you trust, password-protected-screensavered to reduce accidents, and give the kid his own disk to play with, plus teach him how to reinstall software from CD-ROM when it gets trashed.  It's the computer equivalent of buying a full-sized beater car for your kid to learn to drive in - extra weight, airbags, and an exterior you don't care about dents in.

If the kid has his own machine, and you're sharing a network, that's more trouble.  You'll have to firewall your machine off from the kid's, or at least mainly run the clean copy disconnected from the net, and make sure the kid keeps current virus protection installed and running.



Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639

From: David Lesher <wb8foz@nrk.com>
Subject: Keystroke-monitoring in NJ Mob Case
To: cypherpunks@algebra.com (Cypherpunks)
Date: Tue, 5 Dec 2000 16:12:37 -0500 (EST)

re: The keystroke sniffer:


The FBI application is at:


The court order is at:


Date: Tue, 5 Dec 2000 21:02:22 -0500
From: Declan McCullagh <declan@well.com>
To: cypherpunks@cyberpass.net
Subject: Re: IBM Uses Keystroke-monitoring in NJ Mob Case

A copy of the indictment is here:


Nicodemo S. Scarfo, the defendant in this case, is the son of the former head of the Philadelphia-Atlantic City mob (who has been in jail himself since 1991); Nicodemo is currently out on bail and awaiting trial. His attorney was going to file a pretrial motion on the crypto issue, but was replaced today  (conflict of interest rules) with a new attorney, with whom I have not yet spoken.

So if you don't like this kind of FBI black bag job, you'll want to root for Mr. Scarfo. :)


Cryptome note: After news reports on the FBI keyboard logger, the judge in the case muzzled all parties.

From: jdean@lsuhsc.edu (Dean, James L)
To: "'jya@pipeline.com'" <jya@pipeline.com>
Subject: Re: Defense Against Keyboard Loggers
Date: Tue, 19 Dec 2000 06:34:17 -0600

At least under Windows 98 you can "Start", "Programs", "Accessories", "System Tools", "System Information", and list the "System Hooks".  Most keyboard sniffers are installed as "hooks".  If you see a new one, you may have a problem.

Note: Here's what JYA machine shows:

Hook type      Hooked by      Application    DLL path                                                           Application path

Keyboard       Wbhook32.dll   WEBSCANX.EXE   C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\Wbhook32.dll  Same as DLL path
CBT            Pgphk.dll      PGPTRAY.EXE    C:\WINDOWS\SYSTEM\pgphk.dll                                        D:\PGP658\PGPTRAY.EXE                                              
Mouse          Wbhook32.dll   WEBSCANX.EXE   C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\Wbhook32.dll  Same as DLL path

Surely Network Associates/PGP have no connection to the snoopers, but why scan keyboard and mouse?

Date: Wed, 20 Dec 2000 01:37:37 -0500
Subject: keystroke loggers
From: "Hugh Merwin" <hmerwin@earthlink.net>
To: jya@pipeline.com

Keystroke logging devices come up from time to time. 

A company called Working Technologies in New Zealand makes a device called Key Ghost that records keystrokes.  It apparently has problems with USB keyboards.

http://www.keyghost.com    (the product)

http://www.zdnet.co.uk/news/2000/12/ns-14347.html    (an article)