On Sun, Jul 09, 2006 at 10:23:15PM +0200, Joachim Schipper wrote: > Because if it's eventually read by a human, a human that bothered to bug > your keyboard in the first place, it can be easily decoded.
Of course. That's not my point of doing this though, as I had tried to explain. Just because it seems senseless to do doesn't mean that it hasn't a purpose. When someone smuggles a bugged USB device into somewhere they heighten their odds of getting caught if they have to come back to pick up the data that's been recorded. If they can just go in once and have the device remotely update them, they will prefer that. Even then if the device is inside shielded surroundings a radio signal is not guaranteed to make it out. A vendor in the United Arab Emirates cannot get his hopes up that he'll be able to retrieve a bugged device when it's sold to a foreigner. So that leaves devices that are rather passive like a timebomb that explodes only at a certain altitude is detected or a landmine that detects the mass of a heavy vehicle. And the programming of these devices better rot13 every character typed 25 times in order to find keywords. If they don't, and this is what I'm hoping on, there is a hole and the function of possible easter-eggs has been bypassed (surely after this post someone will change the programming of such things, but my devices bought before are safe). Also the way most corporations work is they only do the basic functionality "as needed", if no USB keyboard rot13's their keys they won't see a need to check for such input (again until now). > > Perhaps a keyboard that uses light instead of electrical signals is an > > overall better solution? Aren't laser emitting diodes fairly cheap today > > and the price of roughly 4 meters of fibre-optic cable should be acceptable > > for a keyboard right? Until then, USB keyboards encrypting would be better > > right? How much are you willing to spend for a secure keyboard anyhow? How > > much are people spending for "wireless" keyboards? > > Light-conducting cables are apparently harder to tap than electrical, > but they certainly can be tapped by one of the big TLAs. Of course. > As to secure keyboard prices, I wouldn't bother buying one, even if it > was no more expensive than a regular keyboard - none of my hard drives > are encrypted, so an encrypted keyboard is nonsense. > > Oh, your hard drives *are* encrypted, no? Otherwise, this discussion > would be quite pointless. Not exactly. If a neighbour has a parabolic antenna pointed at my computers location in hopes that they'll pick up any electro-magnetic radiation that escaped the weak-shielded USB cable, and they can reconstruct the keys typed, then there is point for concern as the security has been breached and it's been breached without physical access. If the USB keyboard did encrypt which is the point of this discussion then they have to throw computing power at cracking the keys first which makes their purpose more expensive. Also I was more concerned about _other_ USB devices being dogged bastards on the USB bus initially. > No amount of painting over holes will ever make something secure. (See > Internet Explorer for a fine example...) > > Joachim Perhaps. What exactly do you think OpenBSD has been doing for 10+ years? First it was strcat/strcpy -> strlcat/strlcpy, next it was W^X, and after that mmap()'ed malloc() with stackgap to protect the heap. Seems to me it was a process over time, to get us to where we are now. Was it not painting over holes? Nobody re-designed the entire system new. Am I wrong? If anyone can find USB keyboards that do encryption over the USB bus, please share the URL. regards, -peter -- Here my ticker tape .signature #### My name is Peter Philipp #### lynx -dump "http://en.wikipedia.org/w/index.php?title=Pufferfish&oldid=20768394"; | sed -n 131,136p #### So long and thanks for all the fish!!!
