Wired reports that a Federal judge in Newark has said it’s okay for the Justice Department to have gathered evidence on Nicodemo S. Scarfo’s loan shark operation by sneaking into his office and planting a keyboard sniffer in his PC. Mr. Scarfo had using PGP (Pretty Good Privacy) encryption software to secure his business data. This frustrated FBI investigators no end because they couldn’t crack the encryption, so they broke in to his office and surreptitiously installed a keyboard sniffer. It records all your keystrokes, including the ones you use to type in your passwords and code keys.
This confirms a principle taught me by my friend who used to do this sort of thing professionally, back when he was working for his uncle. He says that there are five basic kinds of cryptanalysis, and that under real-world conditions,
The strong-arm mathematical kind takes a far distant back seat to the faster, more reliable, and more effective kinds; to wit:As he explained it to me, checkbook cryptanalysis is where you pay someone in the target organization to give you the keys. It’s the the commonest and most effective method. Black bag cryptanalysis is where you break in and steal the code key, or (as in the case of Mr. Scarfo) plant a bug that makes more sophisticated codebreaking unnecessary. Rubber hose cryptanalysis is where you get hold of someone who knows the key and beat or otherwise torture him-or-her into Telling All. Dumbshit cryptanalysis is what happens when a guy in the organization absentmindedly leaves the code key in the pocket of the trousers he sends to the dry cleaner. Planting a very sympathetic barmaid in the guy’s favorite bar probably counts as dumbshit cryptanalysis too.a) checkbook cryptanalysis
b) black bag cryptanalysis
c) rubber hose cryptanalysis
d) dumbshit cryptanalysis
The other principle he taught me is to not trust security systems designed by people who go on and on and on about how many permutations you’d have to try in order to break their passwords, because they’ve had their attention focused on the wrong things: “The other guys have checkbooks and black bags too,” he said. “They’re not going to be sitting there feeding in permutations.”
Back when my friend was responsible for security at one of his uncle’s overseas branch offices, a fellow employee sent away for a new security program for their desktop PCs. I believe they were running one of the earlier versions of Windows. When the new software arrived, my friend noticed that the packaging and documentation went on and on and on about how many permutations you’d have to try in order to break its passwords: It would take forever, you’d run out of room on your hard drive, the sun would go nova, yadda yadda. Bad sign.
He installed the new software on one of the PCs, then dropped down into DOS to have a look at it. Sure enough, one of the associated files sitting right there in the directory was named “passwords.” When he opened it as a text file, it contained all the uncrackable secret passwords in unencrypted form. The whole operation took him less than five minutes.
His own approach to security was much simpler: At the end of each workday, he unplugged all the keyboards and locked them in a safe for the night.
Doing that might have helped Mr. Scarfo. On the other hand, the FBI wouldn’t have had to break in and install a keyboard sniffer if Mr. Scarfo hadn’t been using PGP. I don’t know what the moral to this story is. Maybe it’s that if the big guys really want to crack your security, they’ll probably succeed. Maybe it’s that PGP is so secure that the only way around is is to use non-cryptanalytic cryptanalysis. (My friend is a great believer in PGP, by the way.) And maybe it’s that the only truly secure document is the one that you don’t write down in the first place.