Schneier on Security
A blog covering security and security technology.
« "Cyber Crime Toolkits" Hit the News |
| Basketball Referees and Single Points of Failure »
September 5, 2007
Police to Monitor Indian Cyber-Cafes
It stops terrorism, you see:
Vijay Mukhi, President of the Foundation for Information Security and Technology says, "The terrorists know that if they use machines at home, they can be caught. Cybercafes therefore give them anonymity."
"The police needs to install programs that will capture every key stroke at regular interval screen shots, which will be sent back to a server that will log all the data.
The police can then keep track of all communication between terrorists no matter, which part of the world they operate from.This is the only way to patrol the net and this is how the police informer is going to look in the e-age," added Mukhi.
Is anyone talking about the societal implications of this sort of wholesale surveillance? Not really:
"The question we need to ask ourselves is whether a breach of privacy is more important or the security of the nation. I do not think the above question needs an answer," said Mukhi.
"As long as personal computers are not being monitored. If monitoring is restricted to public computers, it is in the interest of security," said National Vice President, People Union for Civil Liberty.
EDITED TO ADD (10/24): This may be a hoax.
Posted on September 5, 2007 at 1:00 PM
• 49 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Heh, i wonder how long before the data recorded gets compromised, leading to identity thefts... probably directly and obviously* traceable to the government key log databases... Username / password combinations should be easy to spot in a log of keystrokes.
*obvious to everyone NOT maintaining the government database anyway.
Not to worry, seems to me. The People Union for Civil Liberty are on the job.
We can leave the sanctity of our individual liberty to them to safeguard. Right?
Genius! Poor folks in India get surveilled, while the wealthy have a right to privacy.
Truly, a genius move to get this passed - "Don't worry, it's only the poor who we'll watch".
From what I remember reading in the 911 Report, the possibility of tapping was very forward in the minds of the plotters. For very important information the principles travelled to speak in person. Sometimes half way across the world.
Keylogging some random cyber cafe has nothing to do with global terrorism and everything to do with local politics.
There is this idea that more information results in better security. There is a hope that if only monitoring was just a bit better, the state could protect itself and the citizens better. But even East Germany, which had the most intrusive monitoring of the population ever, where at least 30% of the population was watching the other 70%, fell.
Targeted monitoring is effective. Generic monitoring generates noise, which has to be investigated, diverting resources from effective anti-terrorism.
We need a society that has more surveillance than East Germany's 30% watching the other 70%. We need 100% of the people watching 100% of themselves and taking responsibility for their own actions.
-consider the haystacks of data that will be produced by this surveillance, how many false positives it will generate and how much energy will be misdirected around screening and chasing ghosts
-think about the implication suggested above by mfh in which the data is inevitably compromised and you now have a single point for attackers to mine sensitive info of legitimate surfers
-to Bruce's mantra about "stop trying to secure the targets because the bad guys will just change the targets," consider that anyone with a laptop who knows how to spoof a mac address find an open wifi hotspot can sidestep this altogether
what a horribly-conceived plan. i guess sounds reassuring to the public though- security theater continues...
'Vijay Mukhi, President of the Foundation for Information Security and Technology says, "The terrorists know that if they use machines at home, they can be caught."'
Just two links: http://tor.eff.org/index.html and http://mixminion.net/
Now the terrorist's home machine is invisible, so there's no need to tap all Cybercafes. Goodbye to Mr. Mukhi, President of the Clueless Foundation for Information Ingnorance and Not-understood Technology.
Seems like it would be easily circumventable using a live OS, like Knoppix on a CD or USB key. You reboot the machine with the disk in the drive and voila', no keylogger, no "virtual Khabris". I bet there are plenty of cafes that don't lock down their PCs.
Evern simpler, how about surreptitiously plugging a personal laptop into a Cafe's ethernet port, after unplugging a PC?
Also, are there no wireless hotspots in Mumbai? If there are, how do those intrepid policemen keylog their users?
It must be nice to be battling terrorists who are too inept to get around this sort of treehouse-grade security.
Are our memories really this short?
The article begins:
> "The terrorists know that if they use
> machines at home, they can be
The article ends saying that wholesale surveillance is ok ...
> "As long as personal computers are
> not being monitored. If monitoring is
> restricted to public computers, it is
> in the interest of security,"
So terrorists know we are already monitoring their home PCs, so we have to monitor all public PCs too. This wholesale surveillance is ok as long as we don't monitor home PCs.
> "The question we need to ask
> ourselves is ... I do not think the
> above question needs an answer,"
> said Mukhi.
Why do we need to ask ourselves a question that does not need an answer?
> whether a breach of privacy is more
> important or the security of the nation.
What if your nation is founded on the ideals of individual human rights? I'd say the privacy of the citizens is itself a national security concern.
How exactly does taking a series of screen shots and logging keystrokes identify the user?
Why not just require photo ID be checked and kept by the cybercafe proprietors (if it isn't already) so they can correlate logs to IPs to the cybercafe customer log book? And maybe a mandatory webcam pointed at the user's face? Somewhat draconian, but at least it would solve the problem he's claiming they're trying to solve with the screen shots and keylogging...
IMO the claim he's making is a red herring. The real issue is that they want endpoint surveillance to get around transport encryption. If the bad guys are using crypto and are communicating on a server outside of their jurisdiction, they're pretty much out of luck as far as wiretapping or demanding logs in a timely manner is concerned. If they have a bunch of keylogger data coming in, that's no harder to examine than all the packet traffic coming from those same sources (i.e. proactively wiretapping a specific endpoint via packet sniffer).
Of course I agree that this would be a very tempting target for plain old cyber criminals, including insiders.
@Carlos: the Knoppix idea would work if their PCs were insecure. The laptop idea wouldn't. Most of the newer Intel CPUs have identifiers (similar to the old "Clipper chip" idea) built in, they started doing that with the Pentium III. Even if the laptop doesn't happen to have one of those they can also track activity by MAC address.
Which means that they'll find ways to encypher their messages so they can use the public machines to send them....
"The question we need to ask ourselves is whether a breach of privacy is more important or the security of the nation. I do not think the above question needs an answer," said Mukhi.
Oh it needs an answer all right. The answer it needs -- and has -- is: the breach of privacy IS more important. To protect the lives of the 0.001% of a nation that might be the worst case number of victims of a terrorist attack, let's abolish the rights of all. Is this the tradeoff a nation wishes to make? Put in starkly quantitative terms like that, it is probably not. But run around screeching "Terror! Terror!" and you can do implement whatever fascist crap you like, neh?
Note the acronym of the front org: FIST. Yep, the Indian polity has been FISTed alright. Join the club, along with some pretty good company of previously Enlightened nations... the UK, the USA, etc.
This is just to reinforce the paranoia of the terrorists so that they take real life actions that make them easier to identify.
One of those tricky, tough to come up with the best solution, problems. There are a few points that may (or may not) be worth considering.
* First, there should be a distinction between privacy and anonimity. If we don't like it, then "talk" to the people misuing public computers.
* Second, people should not assume absolute privacy when doing something in public. I wouldn't talk on the phone in a cafe and expect no one to hear, or use a computer and expect no one to see.
* Third, there could perhaps be a happy medium. Similar to how your license plates can be seen, but there is another step in play to identify the person the plates are registered to. This gives on level of privacy and anonimity--but hardly protects one's actions behind the wheel from being observed by others. Perhaps their could be a balance between viewing what is done on the machines, and identifying who done them. Basically, if activities on a machine are reviewed and give just cause, a warrant or procedure could be implemented to obtain the identity of the person doing it. Something that could balance privacy with detection.
* Forth, if activities are deemed harmless, they must be purged timely to protect privacy.
Finally, the users should be notified that limited monitoring to detect illegal activity may be performed. Further, there should be clear documentation on what will not be retained, and how users can take legal action of the protocols is misused or abused.
Perhaps not the best ideas, but a start. I would hate for a casual conversation via email that someone sent form a library computer be used against them months later in a lawsuit (we all say out of context things we don't want released), however, I would also hate for terrorists acts to be orchestrated from that same library PC (in public) with no way to piece it together.
It's all about trade offs and the right balance.
While the social and political implications are unpleasant, the practical impact of this isn't that high. After all, nobody in their right mind trusts that a public-access computer will be free of logging malware, do they?
Vijay Mukhi, President of the [[lavishly government funded]] Foundation for Information Security and [[Security]] Technology
Here's the real reason: revenue.
According to the article: "All cyber cafes in the city will now need a police license to keep their business going. All cafes need to register at the police headquarters and provide details on the number of computers installed, type of computers and technical details like the IP address of each machine."
You have to remember that there isn't a well established concept of privacy in India.
Terrorists have already demonstrated that they can use the Internet in such a way as to not get caught or compromised. This came out I think more than a year ago.
The way it works is everybody in the cell knows the password to log into email@example.com, which was opened by an operative using a fictitious identity, and is thus traceable to no one. Once logged in, each opens the mail service, deletes all the spam built up, and views and then edits one of the drafts of a message which will never be sent. It contains the secret message, hidden by steganographic methods.
Anybody (or any thing) watching traffic might notice this Klem guy sure travels a lot -- Cairo, Tripoli, Rome, Ulm, and Montevideo all in the same week -- but he never sends mail to anyone, and so falls out through the cracks in the filtering mechanism.
Also, once you've seen steganography wonderfully conceal a file inside a JPEG image, you'll know it would be simple to have a central repository of messages where people can post pictures -- kittens doing silly things, or shots of putported UFOs -- so that the knowledgeable can post messages and read those of others by uploading and downloading the correct files.
Imagine the size of a file that could be hiding inside of a video posted on YouTube.
Our newest, german terrorist plot deals about that kind of messaging - they just forgot the steganographic part.
Of course by editing an draft the mail is sent between client and server, and meanwhile passing filters, or available on the server.
They didn't raise suspicion by using that method - they were already observed.
But steganographie doesn't seem to be a good defense in my opinion.
You need either programming skills in your terror cell, or a third party tool.
A public tool is public - therefore no choice.
So you need to build something yourself.
This tool has to integrate somehow into browers, mail-clients, ... - you have to spread this tool and keep it up to date. It's usage might be too complicated.
Some terrorists seem to be more clever, and some are less clever, but more terrorists are less clever.
Watching out for frequently changed drafts which aren't sent ever will be the easiest job.
Governments seem to live by the old nursery rhyme: "When in danger or in doubt, run in circles, scream, and shout."
"The question that we need to ask... I do not think needs an answer."
In the place where I live in Bangalore, there are three cyber cafes within 25 metres, on ONE road. And this is not in a business area but in a residential area. I doubt very much if this "brilliant" idea will affect these kinds of places.
Also, in India implemetnation isn't exactly easy. A year or so ago, the government decided to implement a plan to verify the identity of people using cyber cafes. I am not sure if this is being implemented strictly, if at all.
Having said all this, I'm still baffled at the comment of Mr. Mukhi. He really needs a daily dose of Schneier on Security. :-)
Another priceless gem from Mr Mukhi, ban email attachments...
Even if we leave this joker aside, there are other, more serious programs in India, that are even more seriously attempting to make information that should be private public and subject to abuse.
Case in point the so-called National Skills Registry, which is to be used to store data of all employed/ employable IT professionals, perform background checks and provide validation services to companies that wish to hire someone. A useful idea given the no of fake CVs floating in India right now, with one problem. They wish to also record an individuals fingerprints. How this is necessary or useful is completely beyond me.
I have already mentioned some tricks a few days ago that will make their stupid surveillance idea useless. You can check my post here
They need to grow up, i have just mentioned few points however there are lots of ways to bypass all this crap and i really dont want to write more because that also gives pointers to the wrong doers.
Indian newspaper readers have been suffering the inane, pompous and often absurd pronouncements of self-important Vijay Mukhi for well over a decade.
"Another priceless gem from Mr Mukhi, ban email attachments..."
cat stego_image | uuencode
I can't see this doing anything useful in terms of general surveillance. The police aren't going to look at this data unless they already suspect someone. There would be just too much of it being generated. What this might do is let them tap a specific computer if they are already following someone and have them under observation. In that case though, this is more like a conventional wire tap, but without a warrant and with the bugs already in place.
The police don't really need to understand the messages to get useful information. It would be informative to know things like suspect 'A' in Delhi sent an e-mail to unknown person 'B' in Mumbai. Person 'B' in Mumbai likely often picks up their e-mail at the same cyber-cafe (there will be only so many in the area). The police then just stake out that cafe and wait to see who logs in to that account. The same thing would work if you have multiple people logging in to the same account.
It's easy to think of ways to defeat this monitoring though, provided the servers being used are out of the country. 'A' sends an e-mail to account 'x' which automatically forwards it to account 'y' which forwards it to 'B'. The police see 'A' to 'x' and 'y' to 'B', but they never see 'x' to 'y' (which are out of the country) and so can't connect 'A' to 'B'.
The police could try matching the signatures of entire e-mails to look for matches, but again that can be defeated if you somehow automatically alter the message.
The question becomes one of whether the police can keep ahead of the persons they are trying to observe. You might think that the average "terrorist" or other malcontent is not very sophisticated. With the growth of the IT industry in India (and elsewhere) however, the talent will be there to draw on. You don't need to have all the members of an organisation be savvy about these things. You just need one person (e.g. a disaffected or unemployed university student) to write a handbook on communications security and then train your people on the proper procedures.
It is true that in the end, the police could simply pick up 'A' (who they already suspected for other reasons) and beat a confession out of him with a rubber hose. However, the point is that the simplistic automatic surveillance system is easily defeated by taking some fairly simple precautions.
P.S. My experience has been that these public computers are already loaded with key loggers and every other type of malware imaginable, all battling with each other for control of the computer. If the police want to install their own on top of all that, well good luck trying to maintain them.
Regarding MAC address, many network card chipsets allow it to be specified in software. Just write six bytes to the right registers of the chip. Concrete details are available in e.g. Linux network card driver sources, and in the datasheets of the chips. See e.g. the datasheet for RTL8139C for details.
There are of course more potential identifiers, on the software level. The browser type, cookies, many many other things. But each one can be faked or omitted, if the operator is aware.
Terrorists sometimes discuss in the street. We need policemen listening to everything people say in the street.
Hell, if terrorists are using a shared account, I wouldn't leave my message in an unsent draft, I'd have it encrypted as part of spam. Spam is the background noise of the digital world, everyone gets it, counts on their filter to screen it. All you have to do is see 'generik presc1pti0n v1@gra' and you won't even bother opening the message.
If you can plug in USB devices, we can plug in a non-standard mapping keyboard directly or via bluetooth. Using TOR, Firefox, Truecrypt on a memory stick leaves no traces on the machine, so screen shots are the limitation.
More likely tho, the keylogger will the the same from machine to machine, and one smart terrorist will develop a tool to disable or redirect. Then the government will be sorting through tons of useless data while the few possible nuggets have been removed from the datastream...what a great waste of terrorist hunting resources!
haha... its not at all crazy... Probably cops will just terrorize the cyber cafe owners in to paying up in the name of compliance.
India has not faced up to real terrorists who 'own' her borders. Now, cops want to handle the internet traffic for possible terrorism related messages.
Yawn! I need a cuppa now.
Thomas Jefferson once said, "Those who choose security over liberty deserve neither", or words to that effect.
That being said, I don't see why anyone using a public computer would have the impression that anything they were doing was private.
> Thomas Jefferson once said, "Those
> who choose security over liberty
> deserve neither", or words to that
Me Myself once said "people misattributing their paraphrased quotations deserve to be bawdlerized."
Future News: Security, Conservation, and Economics:
Confluence of Green & Counter-Terrorist Regulations and Municipal Revenue.
(Do Wasters Serve Terrorists?)
10% cost savings expected!
Vijay Mukkhi, reknowned for anti-terrorist security from India, retained to consult by the Homeland Security Department, has borne fruit at last, after a hundred fifty billion dollar study:
"It has long been noted in evidence that terrorists frequently take documents that are published and annotate observations, spark plans, and process their thinking by writing notes in margins.
And, what are margins? Wasted paper.
Today, your City has announced regulations to enforce the new HSD regulations ordering the reduction of all printed margins to near imperceptibility:
All computer printers and stock printers are subject to this HS decree.
All newspapers are now shut down until they re-tool to the Zero-Margin Standard:
No documents may have whitespace, but wait until each page fills before texts print.
Copyright protection is suspended for any margined documents."
"After all, they are marginal," said an ICE Expanded Enforcement Spokesperson.
Vijay Mukkhi went on to say that, "Any government employee may issue Violators C-5-14-19-15-18-5-d citations.
Violators must then fill out and file triplicate fiteen page responses and make penalty hearing appearances before the local municipal courts, the local state conservation agency, the Federal EPA, and the Homeland Security Department.
Any Failure to appear will result in that person named being added to the HSD No-Fly List.
Unauthorized copying or pseudonym use are considered non-issues, as false identity is a crime."
When asked about Constitutional concerns, Vijay responded that, "I am neither an American citizen, nor resident, and my work has been approved by my cousin, in the Office of the Counsel of the President, so the Constitution neither applies to me, nor restricts my directions to Law Enforcement Agencies."
To What's next?, Vijay replied, "Text on the Internet and cell phone text messages as well as web pages must be subjected to these same uniform standards. Then, we can finally arrest anyone who is out of uniform standards for a crime."
All the above people does not understand security at all.
If my ideas on security are implemented, the world will become heaven.
One has to think out of a box.
Bank of India has not consulted me. See what happened.
I had a big respect for Bruce. What happened to him. Does he understand - what he is circulating? Has Bruce gone out-of-mind ?
Apart from privacy, legal and self-publicity issues, consider following -
1. Who stops hackers / terrorists of taking backup (copy) the keylogger log
itself, to hack and blackmail the previous users.
2. Temporarily all keyloggers can be deactivated for some time using
utilities like proexp or Antispyware (AVG does it). So, when a seasoned
terrorist / hacker use a cyber cafe, he/she can deactivate all known spyware / keyloggers during usage.
3. Seasoned terrorist / hacker can over-write keylogger log files with it's
own file, implicating even President of India in the overwritten log.
4. A seasoned user can even fool keylogger by typing in reverse.
5. clicking on icons does not record in keyloggers. A seasoned terrorist
will use a predefined copy-paste method. He/She can even copy each and every single character to make a sentence without trace.
Some people use hare-brain schemes, without knowing the intricacies of IT
Security (Technology and Management), for self-publicity. Many people
laughed on the suggestion by some so-called security-agencies / persons(s)
suggestion to ban e-mail attachments, somewhere in March 2007.
This move will be mostly ineffective and will allow the cops in India, who are notoriously corrupt, to exort more money from cybercafe owners due to this silly plan being implemented. I always tell my friends, if you ever want to disappear, go to India. 90% of the transactions are done in cash to avoid paying taxes...heck back in 1997, the Indian Government had a Voluntary Disclosure of Income Scheme (the famous VDIS). If you have "black" money, e.g. undeclared, non-taxed income from any source, you could show up to your local county office and declare the money, pay a flat tax of something like 30%, and then your money could become "white", which would be legal and you could use it for anything, no questions asked by the Income Tax guys. Well this plan netted the government Rs.33000 crores (330 billion Rupees), which is 8.09 billion U.S. dollars. If the government can't enforce tax laws properly and collect the monies fairly due to them, how do you expect them to enforce this cybersitting plan?
Some discussions on India-InfoSec@yahoogroups.com forum -
There has been no confirmation or denial from Mumbai Police about this news. I have checked with one (only one - the sample size is small) Cyber cafe in my area (I am based in Mumbai) and the owner says that he knows nothing about it.
Since, this is a state government assignment, there has to be a tender. I follow the tenders seriously. I have not came across any tender. I can not rule out that it could have slipped my sight but some of my friend would have told me so.
The original Mid-day news dated 29 August does not refer any Mumbai Police officer by name or designation.
Thus, I am not sure whether the news is correct and authentic. Can someone responsible in Mumbai Police confirm the same OR can some other responsible agency like NASSCOM can check with Mumbai Police and confirm the same.
Further, one can check the veracity of news and tender using RTI.
This raises following question -
If the news is correct -
Why it is announced by Mr. Mukhi? Who mandated / authorised Mr. Mukhi to announce this news and in which capacity?
What relation / position Mr. Mukhi has with Mumbai Police?
Was it a confidential news (It should have been as the terrorist will first make anti-dote of it) and leaked by Mr. Mukhi?
If so, how Mr. Mukhi came to know of this confidential news?
If this was not confidential, why a senior responsible police officer has not announced the same?
If the news is correct and there was no tender, how and why a specific company chosen.
If the news is incorrect -
What action will be taken against Mr. Mukhi and FIST?
Why he has done it?
Why the media so gullible?
It is a serious matter, playing with the life of people.
The news item says that those cyber cafes, which do not meet the norms, will be fined under Bombay Police Act. Does Bombay Police Act (of 1951 vintage) provides installation of keyloggers in Cyber cafes? (In the context of the news, I believe "the norm" means - installation of keyloggers. Cyber cafes are governed by Cyber Café Licensing Rules. I have not seen this in these rules also.
Can some one enlighten?
From: India-InfoSec@yahoogroups.com [mailto:India-InfoSec@yahoogroups.com]On Sent: Saturday, September 08, 2007 2:09 PM
Subject: [India-InfoSec] Scary presentations,Mumbai Police hare brained ideas and other stories...
The police chiefs need to see the presentation to know what they are up against. Then they should be made provide answers to an ethical and legal committee. ( but can somebody first gag VM and send him to kala pani)
1. How do they expect to present evidence collected in a court of law. This is as much a criminal act as tapping someone's cellphone.
2. These idiots are going to wire all the cybercafes to nab criminals, so what about the cafe owner who will also be privy to data. Or maybe people will stop going to the cybercafe. And then the owner will have a red and green zone. The green zone, obviously, being behind the curtain and you pay an extra few rupees per hour.
3. So will every installation come with a security guard ?
4. What about the infringement of privacy of the citizen ? I believe that the cops and the vendor are assuming every one surfing th in a cyber cafe has a criminal intent, so does that give them the right to spy on the person's password and accounts and collect any information without a legal order.
So much more to say on this.... and the total lack of consideration of the rights of citizens by the authorities. Cant they understand that the threat is not coming on a 'thela' but may already be in their system and that the people who are devising them are much more intelligent than them. And suely while they are looking at every innocent citizen the criminal is having a nice time and will walk away from the destruction which is his agenda, and then there will be committees and inquiry commissions.
Another one from India-InfoSec@yahoogroups.com
Sent: Friday, September 07, 2007 4:32 PM
>Subject: Re: [India-InfoSec] Schneier on
> Its not feasible.
>the conversations/ mails will always be coded.they'll talk in their lingo.
>and we dont have that many people who can go
>through millions of transcripts everyday,analyse
>them, even try to break codes..its just not possible.
>Rather a huge data bank of all the suspected
>mail ids,sites and servers available with all
>the int agencies and police should be made.There
>should be a system evolved where all the mails
>and transmission to such servers,sites or mail accounts can be tracked.
>If we have a thosand mail accounts,and in a day
>we get even one mail on any one of them.
>And futher access into the new account is made.We'll have few more contacts.
>But we wont be beating around the bush.
>The progress will be in a certain direction and
>sooner or later it will yield result.As they WILL drop a hint or do a mistake.
>Monitroing Cyber cafes is fooling ourselves.Its
>over reacting, without any logical thought.
>More than anything,,do we have that kind of
>manpower that can analyse such huge data.
>Forces and agencies are already over worked.And
>you cannnot leave it to computers,as computers
>can only pick up key words(which no one uses),
>and cannot analyse the hidden meaning or subtle hints in the conversation.
Another one from India-InfoSec@yahoogroups.com
Sent: Friday, September 07, 2007 3:21 PM
Subject: RE: [India-InfoSec] Schneier on
Security: Police to MonitorIndianCyber-Cafes
Can some kind soul put a stop to this PR
disaster, at their earliest convenience? And
possibly gag Vijay Mukhi while they are at it?
A couple of points spring to mind here.
1. As, thanks to this press release and the
other forms of publicity about this initiative,
it is widely known that keyloggers are being
installed on Bombay cybercafés, the criminals
are likely to go to (say) pune – or use gprs
from stolen / untraceable cellphones etc rather than use cybercafés.
2. Has anybody got evidence that there was a
tender for this, and before that a feasibility
study or some other way to avoid wasting public money on such projects?
Date: Fri, 31 Aug 2007 00:36:43
Subject: Re: [India-InfoSec] Bombay police want to install keyloggers in
Can you tell me something is it legal to put keyloggers on all cyber cafes?
- terrorist are known to get ration cards, id proof and address proof, wat happens if they get a airtel or reliance and operate frm their laptops? in that case keylogger wont work?
- even if police are doing this, dont they have to take permission from court to do this? what is the legal point on this. i know sniffing in terms of national security at ISP could be legal? what about keylogger.
- as you said, the keylogger can be taken out of one machine, debugged
and reverse engineered and all logs can be patched to send to a different
email ids. they can get controlled by the criminals or other bad guys.
- even if these guys are going to do it, why will Mr. vijay mukhi or who ever anounce this, for publicity. wont terrorists read this and stop using cyber cafe? are these people interested in national security or publicity? i think number one , the company name should not have come in press and not the people involved. it looks like a publicity campaign in name of national security.
----- Original Message -----
Subject: [India-InfoSec] Bombay police want to install keyloggers in
Date: Thu, 30 Aug 2007 04:38:07 -0700
1. This M/s Micro Technologies has managed to gull the bombay police into purchasing this .. Any previous track record etc? Or do they install keyloggers without even some audit of what those do, how secure these are against being hijacked by a virus / botnet to funnel all those keystrokes to a criminal?
2. Where does the bombay police have the staff to actually monitor the net 24x7?
The article has supportive quotes from Vijay Mukhi, which kind of underscores how very impractical and silly the idea is.
Finally, a good reason for Vista's DRM (only kidding, don't get excited)! They lock down drivers and insist new video cards do everything "sooper sekrit" (indeed, it's security by obsurity here, and ATI and others aren't too happy about it as it costs money) so that it becomes very difficult to do a screen scrape...or audio scrape and so on.
Trying to kill that analog hole is probably futile, or at least will take years for all the older machines to go away, but this is sort of interesting.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.