Federal Agents Using Spyware

U.S. drug enforcement agents use key loggers to bypass both PGP and Hushmail encryption:

An agent with the Drug Enforcement Administration persuaded a federal judge to authorize him to sneak into an Escondido, Calif., office believed to be a front for manufacturing the drug MDMA, or Ecstasy. The DEA received permission to copy the hard drives’ contents and inject a keystroke logger into the computers.

That was necessary, according to DEA Agent Greg Coffey, because the suspects were using PGP and the encrypted Web e-mail service Hushmail.com. Coffey asserted that the DEA needed “real-time and meaningful access” to “monitor the keystrokes” for PGP and Hushmail passphrases.

And the FBI used spyware to monitor someone suspected of making bomb threats:

In an affidavit seeking a search warrant to use the software, filed last month in U.S. District Court in the Western District of Washington, FBI agent Norman Sanders describes the software as a “computer and internet protocol address verifier,” or CIPAV.

The full capabilities of the FBI’s “computer and internet protocol address verifier” are closely guarded secrets, but here’s some of the data the malware collects from a computer immediately after infiltrating it, according to a bureau affidavit acquired by Wired News.

  • IP address
  • MAC address of ethernet cards
  • A list of open TCP and UDP ports
  • A list of running programs
  • The operating system type, version and serial number
  • The default internet browser and version
  • The registered user of the operating system, and registered company name, if any
  • The current logged-in user name
  • The last visited URL

Once that data is gathered, the CIPAV begins secretly monitoring the computer’s internet use, logging every IP address to which the machine connects.

All that information is sent over the internet to an FBI computer in Virginia, likely located at the FBI’s technical laboratory in Quantico.

Sanders wrote that the spyware program gathers a wide range of information, including the computer’s IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer’s registered owner and registered company name; the current logged-in user name and the last-visited URL.

The CIPAV then settles into a silent “pen register” mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every computer to which the machine connects for up to 60 days.

Another article.

I’ve been saying this for a while: the easiest way to get at someone’s communications is not by intercepting it in transit, but by accessing it on the sender’s or recipient’s computers.

EDITED TO ADD (7/20): I should add that the police got a warrant in both cases. This is not a story about abuse of police power or surveillance without a warrant. This is a story about how the police conducts electronic surveillance, and how they bypass security technologies.

Tags: , , , , , , , , ,

Posted on July 20, 2007 at 6:52 AM44 Comments

Comments

Suspicious Type July 20, 2007 7:42 AM

Quote from first article link:

“… a rare peek into how some fed agents conduct digital investigations when a suspect uses encryption> First, break into the suspect’s home or workplace, then implant keystroke-logging software on their computer …”

One defence might be to boot their system off a USB key – which they keep on their person when not in their premises.

Ever since the Sony rootkit scandal, when it emerged that some anti-virus vendors did not treat Sony’s rootkit as a threat, I have always assumed that the police might have spyware that is not detected by anti-virus software.

Perhaps the evil doers need some professional assistance with their security? More busines for counterpane Bruce? (tongue in cheek)

C Gomez July 20, 2007 8:07 AM

So what, they got a warrant in the first case and were applying for one in the second. I sure like that a lot better than the myriad of warrantless exceptions. Heck, CIPAV even seems to have a hard upper time limit, probably to comply with such warrants. Pretty sure most spyware doesn’t have time limits.

It’s an interesting story as use of technology in law enforcement. It’s a non story if we’re trying to proclaim abuse of power.

Terence Shelton July 20, 2007 8:09 AM

Anyone who wants security, for any reason, either is or should be using one of the bootable versions of Linux like Ubuntu or Knoppix. Further, they should be very careful of the origins of whichever version they choose. Checksums and such are ok, but for real security you need someone who can monitor the actual code.

Leave the Micro$oft windoze installed and let your kids use it, you can even use it for your ‘normal’ web surfing, but use a bootable Linux for privacy.

dhasenan July 20, 2007 8:12 AM

A better defense might be to use a laptop and keep it on your person at all times. Guards against local installation of keyloggers, hardware or software. Using a nonstandard OS helps, too — I doubt anyone’s developed malware for Haiku, for instance, and I doubt anyone at the FBI could quickly manufacture any that they could install remotely.

jmr July 20, 2007 8:15 AM

As much as I don’t particularly like surveilance, when accompanied by a warrant I don’t really have too much of an issue with it. Of course, I do desire that warrants be, as much as possible, limited to that which is necessary, but I’m not against the executive branch engaging in the legal interception of information with oversight from the judicial branch.

On the other hand, mandating that the gov’t be able to eavesdrop on all conversations with every communications medium in an out-of-the-box fashion is something else entirely. Also, should it turn out that the gov’t damaged something in its zeal to investigate an innocent, the gov’t should be held liable.

Bruce Schneier July 20, 2007 8:31 AM

“It’s an interesting story as use of technology in law enforcement. It’s a non story if we’re trying to proclaim abuse of power.”

Agreed. This is not a story about abuse of power. It’s a window into police tactics.

Hanno July 20, 2007 8:34 AM

There is a fiery discussion about this very topic going on in Germany right now. Search the German news and blogs for “Onlinedurchsuchung” or “Bundestrojaner”:

German police is asking for legal permission to use trojans for law enforcement.

It is illegal for the police right now and it would require a change of the Grundgesetz, Germany’s constitution. The police are speaking about “less than 20 cases” where they want to use this method, so critics feel very uneasy to allow this. It’s the /constitution/, after all.

Unlike other commented here, yes, there are major problems with abuse of power, even with a warrant. Judges do not understand how a trojan works or how to read the log. The person controlling the trojan can do all kinds of things with the suspect’s PC, including planting evidence and falsifying logs.

There has been a previous case where a technical expcert claims to have proof that German police planted evidence on the harddisk /after/ they seized the suspect’s PC (http://de.indymedia.org/2007/02/168561.shtml) although I cannot comment on the validity of that claim.

Hanno July 20, 2007 8:46 AM

I should add: The discussion is fiery because the interior minister is making all kinds of hardball suggestions to add “security”. These include, but are not limited to:

  • data retention for six month of all communication logs, mandatory for all companys offering communication (phone, cellphone, internet, voip): http://www.vorratsdatenspeicherung.de
  • the “federal trojan” (see previous comment)
  • additional surveillance cams
  • the use of the German army within Germany to support for German police

The interior minister has also been criticized for his “loud thinking” regarding a communications ban, detention and a “shoot to kill” policy for suspect terrorists.

http://www.nytimes.com/2007/07/11/world/europe/11cnd-security.html?ex=1341806400&en=63574ada108b2d9d&ei=5088&partner=rssnyt&emc=rss

Carlo Graziani July 20, 2007 9:17 AM

Sounds like a great opportunity for some entrepreneurially-minded geek: “Mobuntu”. For users whose security requirements are comparable to those of organized crime, a live Linux distribution on a 2GB USB key, featuring SELinux (the Irony!) configured for maximum paranoia, encrypted filesystems, partitions with steganographic support, GPG, shutdown scripts that erase all files written this session to attached external devices, firefox with NoScript built in and all other support for installing xpi plugins turned off…

The possibilities are endless. And the market for clinically paranoid software features some customers with serious money.

honeypot.honeypot AT gmail DoT Calm July 20, 2007 9:44 AM

I am sure they tempted the perp to open a free music file or neked photo of Paris or Britney, etc., in order to pass the software to his system. Easier with social engineering than with physical assault.

C Gomez July 20, 2007 10:10 AM

@Bruce:

So here’s an interesting question.

I don’t mind law enforcement with judicial oversight (as we’ve pretty much established here).

But let’s say we know what the police tactics are to get information from our own personal computers. Then let’s say we build defenses (doesn’t matter what they are) that are good enough to defeat the tactics.

What is an interesting discussion is what happens under the law now? This is akin to being served a search warrant for a locked filing cabinet, but before the police arrived, you hid the filing cabinet somewhere.

Is this obstruction of justice? It quite possibly is in the “physical world”, but on my computer?

“The defendant’s system was protected so as to make our loggers and spyware ineffective.”

I think a legal defense we’ll have to resort to, as a mythical defendant in this mythical case (which may have no merit), is that our counter spyware measures were not intended to keep the police out or to obstruct any particular investigation. They were instead instead to keep out all unknown intruders, no matter the source.

But then we roll back around to the beginning, which is… “Okay, then turn over the software data or be found in contempt (or guilty of obstruction)… as we have a valid search warrant here for that data.”

There’s a much larger issue here, and it’s whether we will be compelled legally to unlock our digital files either in a case against ourselves, or just as a witness in a case against a third party. It’s no different from being ordered to open a locked cabinet to get at the contents inside because they are material to the matter.

Sure, we can lock the key inside our heads, but we may find ourselves locked in a jail cell.

These are tough questions. As much as my kneejerk reaction is to say it’s wrong, few of us would think it wrong in the “physical world” example. The Constitution is not a suicide pact that protects criminals. It protects individual rights. But if a valid warrant is issued, everything in the warrant is fair game, isn’t it?

dmc July 20, 2007 10:19 AM

Bruce, even though it’s not a story about abuse of police power, how can the technology be separated from the pitfalls?

My concern is that the scope of a warrant is supposed to be narrowly prescribed, describing exactly what is to be collected. In a phone tap, for example, if the target is not participating in the phone call, law enforcement is not supposed to listen.
As I recall, they are not even supposed to listen if the phone topic is something other than the focus of the investigation.

Key logging opens up an extremely broad data scope, potentially involving individuals who may share a computer with the target, but are not supposed to be part of the investigation.

Wasn’t this one of the problems with Carnivore?

George July 20, 2007 10:32 AM

I should add that the police got a warrant in both cases. This is not a story about abuse of police power or surveillance without a warrant.

Which of course raises the question: Is this just the visible tip of a large iceberg? How often is this technology used without a warrant, all entirely legal under the Inherent Power of the Unitary Executive?

Hanno July 20, 2007 10:47 AM

C Gomez: Feds are using spyware because criminals are using strong encryption. This is part of an ongoing arms race.

What I find curious about this report is that they are touting a big success when it’s about a 15 year old student making bomb threats. Where are the grand fearsome terrorists and threats to our western society they are catching with this?

Brandioch Conner July 20, 2007 10:48 AM

@C Gomez
“There’s a much larger issue here, and it’s whether we will be compelled legally to unlock our digital files either in a case against ourselves, or just as a witness in a case against a third party. It’s no different from being ordered to open a locked cabinet to get at the contents inside because they are material to the matter.”

And? I’m not seeing the “larger issue”.

“The Constitution is not a suicide pact that protects criminals. It protects individual rights. But if a valid warrant is issued, everything in the warrant is fair game, isn’t it?”

Where does “suicide pact” come into this?

A warrant is a warrant.

“I think a legal defense we’ll have to resort to, as a mythical defendant in this mythical case (which may have no merit), is that our counter spyware measures were not intended to keep the police out or to obstruct any particular investigation. They were instead instead to keep out all unknown intruders, no matter the source.”

Which is why you are allowed to turn over the keys to the police when they have a valid warrant.

You may refuse to, but you will face the consequences of that decision.

Maybe you can make your point clearer if you skip the rhetoric?

derf July 20, 2007 11:01 AM

That’s the real problem, isn’t it? By using software that has snooping capabilities, the police have compromised any evidence gathered, since the trojan itself could be issuing the nefarious commands either programatically or at the direction of a corrupt investigator.

It raises several questions: If other malicious software is present, can the trojan detect other trojans issuing malicious commands or does it just attribute them to the computer’s owner? Can the trojan identify who is sitting at the computer? Does it record snapshots through the webcam of the individual at the keyboard, for example? Can investigators determine that their target computer is in fact the one they infected unless they physically introduce the trojan themselves?

Questions, questions, questions

Ford July 20, 2007 11:20 AM

TSA is now using the phrase “security theater” to describe some of their past activities (Star Tribune this morning)!

simongabriel July 20, 2007 11:51 AM

I would agree that this raises a concern as to exactly how much information they are gathering. Essentially it appears the warrant is realistically authorizing the gathering of “all” information, which then would be filtered out. And excuse my lack of trust here, but whenever information is intended to be ‘filtered out’ it ends up in a file somewhere, instead.

In much the same way, I’m not comfortable with the “breaking into the house” part of this either. While I’m for catching the bad guys and what not, it seems a little invasive to me.

Of course, breaking into their computer from online seems even more invasive to me, but shrug.

Taco Del Gato July 20, 2007 12:07 PM

Am I the only one thinking PKI? WTF happened to having an encrypted private key on portable storage? Sure get my passphrase, you still won’t be able to decrypt anything sent to me.

Maybe I need to see what this TPM thingy here does…

Hanno July 20, 2007 1:07 PM

One of the more curious arguments for spyware use by the police in Germany so far war:

A computer connected to the internet cannot considered to be private property, anymore, and therefore is free to be searched by the police.

Yay.

X the Unknown July 20, 2007 2:14 PM

“Okay, then turn over the software data or be found in contempt (or guilty of obstruction)… as we have a valid search warrant here for that data.”

So, if you’re using something like TrueCrypt with “hidden partitions”, you can turn over the innocent-looking stuff, and claim complete ignorance of anything else. It seems to me that this is one of the few “legitimate” arguments for XOR-based one-time pads. Each OTP consists of a bunch of “noise” packed onto a CD or DVD. Each time you create an encrypted file with a “real” OTP, you also create a “decoy” OTP that decrypts the file to something innocuous (this is a trivial exercise with XOR).

Keep the “decoy” OTP’s someplace obvious and easily-accessible. The “real” stuff should not be so obvious (but clearly, still needs to be accessible to be of any use). Maybe your “current” OTP is copied into a password-protected USP key. Hopefully the authorities will go away happy with the decoys – especially if you just hand them over in response to a warrant.

Philippe July 20, 2007 2:29 PM

Handing over your private key… What about the right to not incriminate yourself?

nedu July 20, 2007 3:06 PM

Be sure to carefully read footnote 2 (on p.2 / p.3 in PDF) of Norman B. Sanders’ affivdavit.

http://blog.wired.com/27bstroke6/files/timberline_affidavit.pdf

“In submitting this request, the Government respectfully does not concede that a reasonable expectation of privacy exists in the internet protocol address assigned by a network service provider or other provider to a specific user and used to address and route electronic communications to and from that user. Nor does the government concede that a reasonable expectation of privacy is abridged by the use of this communication technique, or that the use of this technique to collect a computer’s IP address, MAC address or other variables that are broadcast by the computer whenever it is connected to the internet, constitutes a search or seizure.”

To emphasize: “Nor does the government concede […] that the use of this technique […] constitutes a search or seizure.”

Iow, the government appears to be explicitly reserving its argument that it may use this technique—or similar techniques—without a warrant.

C Gomez July 20, 2007 3:33 PM

@Brandioch Conner:

No rhetoric, whatsoever. I just think it’s an interesting legal road. I’m not 100% sure these kinds of legal questions will ever be considered, however.

I don’t really feel the courts in the U.S. have shown competency on technological matters. But… combine that with what I believe the courts in the U.S. have done reasonably well, which is to use other legal grounds to decide technology cases. Grokster v. MGM is a good example where you can tell you have a clueless Court that still manages to draw parallels and come to a reasonable conclusion (reasonable enough for a first try at it, that is).

DBH July 20, 2007 3:42 PM

Good for them, they used existing law in a sensible way to provide surveillance of a suspect with judicial oversight. Wow, according to the Bush administration, the law hasn’t kept up with technology, yet it seems like it worked just fine here…

Stefan Wagner July 20, 2007 5:26 PM

@ Hanno, German situation:

“10 to 20 cases per year” to that clear.

Counterfeiting evidence can be done in many ways – it’s not specific to trojan horses.

Sam July 20, 2007 6:32 PM

@Terence Shelton

“Anyone who wants security, for any reason, either is or should be using one of the bootable versions of Linux like Ubuntu or Knoppix”

Only prevents using the harddrive as an attack vector, there are many other ways to easily log your keystrokes.

SumDumGuy July 20, 2007 6:39 PM

A couple of random points –

1) Alternative OSes like Haiku aren’t necessarily a sufficient countermeasure. A trojan that makes use of virtualization could conceivably monitor the keystrokes and network activity of any OS.

2) Nor is the use of separately maintained bootable media like a USB key able to provide strong protection. The trojan could be stored in the flash-ram of the motherboard or any add-ons that contains BIOS routines. I believe there has been at least one published academic paper already addressing this attack vector.

3) Anyone quoting the phrase “The Constitution is not a suicide pact” is engaging in rhetoric. Although they probably aren’t aware of the actual judicial implications of the phrase:
http://writ.news.findlaw.com/commentary/20030107_fletcher.html

Suspicious Type July 21, 2007 6:47 AM

@C Gomez

“There’s a much larger issue here, and it’s whether we will be compelled legally to unlock our digital files …”

“Sure, we can lock the key inside our heads, but we may find ourselves locked in a jail cell.”

I don’t know what the situation is in America, but in the UK there is already legal provision for jailing people who refuse to disclose encypted data to the police in the Regulation of Investigatory Powers Act (RIPA) part 3:

http://www.opsi.gov.uk/acts/acts2000/00023–e.htm#53

UK readers who want to know more about RIPA can find out more here:

http://www.opsi.gov.uk/acts/acts2000/20000023.htm#aofs

Clive Robinson July 21, 2007 8:42 AM

Is it just me or has anybody else picked up on the fact that a DEA Agent might well have lied to a Judge to get the warent?

“That was necessary, according to DEA Agent Greg Coffey, because the suspects were using PGP and the encrypted Web e-mail service Hushmail.com. Coffey asserted that the DEA needed “real-time and meaningful access” to “monitor the keystrokes” for PGP and Hushmail passphrases.”

For those not in the know Hushmail is not at all secure on your PC and due to the way it works within the avarage web browser quite offten the plain text of messages and all sorts of other goodies are available both in the web cache and the memory cache. The weaknes has been in semi public discussion for atleast the last six or seven years.

Also there are more than enough “known” backdoors into the commonly used browsers that would alow even a moderatly competent cracker to see the plain text of hushmail messages whilst the legitimate user was viewing them.

So no the DEA would not need to put in a keyboard or other logger for Hushmail, unless they where either very very incompetant or they planed to impersonate the legitimate user and that realy does open up a whole nasty can of worms…

Eoghan Casey alluded to how to attack hush mail in his 2002 paper,

http://dfrws.org/2002/papers/Papers/Eoghan_Casey.pdf

And there are more uptodate papers out there that give an overview of the mechanics involved with doing it.

For those that prefer to hold books on aircraft etc have a look in,

Secrets of Computer Espionage: Tactics and Countermeasures, by Joel McNamara ISBN: 0-7645-3710-5

It was published not long after Casey’s paper and gives an overview of how you might get at Hushmail data as an example of how better to protect yourself.

More information about the problem (of cleaning up) Hushmail data left on an MS OS machine can be found at,

http://www.deny.de/hosted/df/cleanup.htm

Oh and a page from Simson L. Garfinkel with some very usefull links for background reading is,

http://www.simson.net/ref/2005/csci_e-170/readinglist.php

and most of the rest of his site 8)

Jim July 21, 2007 9:53 AM

From the Wired story, “internet users have no “reasonable expectation of privacy” in the data when using the internet.” This makes no sense legally or logically. Every financial transaction carried out on the internet is based on internet users expectations of privacy.

“At U.S. Bancorp®, trust has always been the foundation of our relationship with customers. Because you trust us with your financial and personal information, we respect your privacy and take strong action to safeguard that information, including your online sessions. The U.S. Bancorp family of financial service providers pledges to protect your privacy online by adhering to the practices described below.”

“internet users have no “reasonable expectation of privacy”
It sounds like a kangaroo court opinion.
“That judge runs a kangaroo court–he tells rape victims they should have been more careful.”

Arturo Quirantes July 21, 2007 11:48 AM

It´s somewhat funny to hear that it happened in a place called Escondido (spanish for “hidden”). Security through psycology?

DigitalCommando July 22, 2007 1:36 PM

Keyloggers?, thats so yesterday.

AT&T engineer: NSA built secret rooms in our facilities
http://arstechnica.com/news.ars/post/20060412-6585.html

Electronic Frontier Foundation files suit against AT&T:
The lawsuit alleges that AT&T Corp. has opened its key telecommunications facilities and databases to direct access by the NSA and/or other government agencies, thereby disclosing to the government the contents of its customers’ communications as well as detailed communications records about millions of its customers, including the lawsuit’s class members.

The lawsuit also alleges that AT&T has given the government unfettered access to its over 300 terabyte “Daytona” database of caller information–one of the largest databases in the world. Moreover, by opening its network and databases to wholesale surveillance by the NSA, EFF alleges that AT&T has violated the privacy of its customers and the people they call and email, as well as broken longstanding communications privacy laws.

Why AT&T? Because they are now the largest telecom firm in America. The EFF’s complaint points out that the company handles more than 300 million voice calls each day, passes more than 4,600 TB of data along its backbone, and carries 18 billion minutes of of international calls each year. They are also the largest DSL provider in the US, meaning that without their cooperation, the NSA would have significantly less data to work with. A successful case against the company would probably convince other firms to stop aiding the NSA, if for no other reason than to avoid class-action lawsuits and massive fines.

For more on EFF’s case against AT&T:
http://www.eff.org/legal/cases/att/

maybe, maybe not July 22, 2007 6:22 PM

I would like to interject a couple of new thoughts into this discussion and, well, I’m not really sure why. Maybe I’ll figure it out by the time I’m done.

“The Constitution is not a suicide pact….” Maybe, maybe not. The Constitution is whatever the “ultimate authority” of our Federal Government says it is. Traditionally, this has been thought of as the Supreme Court. But, if a demagogue President can appoint subservient Supreme Court Judges and a subservient Congress goes along, the Constitution, in whole or in part, can be reinterpreted. Why could not, in the name of fighting terrorism, the add-on after thought to our Constitution that we refer to as the “Bill of Rights” be suspended? The Supreme Court can easily justify this by the aforesaid argument. (I.e. It was not there to begin with, so we are merely being faithful to the Founding Father’s original vision.) Now I would consider the US as we imagine it pretty much dead if that were to come to pass. Wouldn’t you?

Our Government has the power to do whatever it wants. It is the abuse of this power that I am concerned about. So, it seems to me that any discussion about security should really address two issues. 1, How can we assure that we always have an informed electorate that cannot be misled into wars or giving up our civil rights by a dishonest demagogue? 2, Given that we are almost there now, what measures could a group of freedom loving citizens take to protect their plans and communications to restore democracy from being discovered by a Federal Government that has suspended elections (Lincoln could suspend elections during the Civil Way because the military wanted it? Wow! See material at SumDumGuy’s Findlaw link), the Bill of Rights and reasserted the Sedition Laws?

tomk July 22, 2007 7:52 PM

Any police actions on behalf of the miserable war on drugs especially by the DEA are abusive. Warrant or no.

Nostromo July 23, 2007 5:01 AM

I’m inclined to agree with tomk. Warrants are not really much of a safeguard; most law-enforcement organizations know which judges will always go along with a warrant request. Warrants would be more of a safeguard if police did not have any choice about which judge to apply to for a warrant.

simon_c July 23, 2007 7:12 AM

So, how long before the IPs of the collector machines are known and blocked at the target’s router ?

rmuser July 26, 2007 1:10 AM

“The CIPAV then settles into a silent “pen register” mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every computer to which the machine connects for up to 60 days.”

I’d imagine opening BitTorrent and running some extremely popular torrents would flood this to the point of uselessness.

SpiedUpon January 9, 2008 12:50 PM

It is at Quantico, someone screwed up the other day (or I stumbled upon a great Wireshark setting), allowing me to log a Quantico I.P.. This is, fyi, after I disabled my modem, unplugged my ethernet cable, and uninstalled my wireless software. Didn’t matter. Interestingly, I found the log after I tried to get back online after a short time away and could not, yet did not get the usual error messages. So not only am I being spied upon, my right to free speech and association is being interfered with. It was even worse on my now-deceased, Microsoft XP virus infestedToshiba. At one point, graphics to the contrary, I don’t believe I was getting online at all. I interrupted a shutdown and happened upon a message that had the words ‘fake internet’ in it. Hm….Lawsuit. Yes, I’m definitely feeling litigious here.

mothers day greetings April 27, 2014 1:14 AM

Fantastic internet site. Lots of useful information here. I’m giving the idea to 3 good friends ans additionally sharing around scrumptious. Of course, thank you in your hard work!

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.