Date: 15 Dec 92 15:11:24 >From: Louis Giliberto Subject: File 6--Response to CERT advisory (Re: CuD 4.65) In CuD #4.65 this CERT advisory appeared: > CA-92:19 CERT Advisory > December 7, 1992 > Keystroke Logging Banner There are several issues that need to be considered before implementing a system such as this, the last of which should be defensibility. Killing in self-defense is defensible, but there are other considerations involved. The point? Just because someone *can* do something does not mean someone *should* do something. Who should/could be monitored? +++++++++++++++ This advisory seems to give free license to the system administrator to monitor as he/she sees fit. What if you own a company, and your administrator logs and monitors all activity as outlined? Then he leaves your company and joins your competitor. He has read over every piece of information typed into your system. Obviously this causes problems if the computer is used for proprietary information. However, let us assume the administrator can be trusted. Who does he decide to log? The fairest way would be to log everyone. However, this is near impossible since the resources required would be overwhelming. More resources would be spent on logging than on computation. One might suggest that he log only those accounts that have had illegal logon attempts or suspicious activity. But this brings up two points: 1) If the logs are catching the activity, is keystroke monitoring needed to secure the system? 2) In the cases where keystroke monitoring would be most effective (i.e., determining the method of intrustion) the logs are most likely doctored in some way, so the determination of which account to monitor could not even be made. Therefore the most effective use of keystroke logging would be 1) monitor those accounts with suspicious activity and 2) monitor at random. In this manner, illegal entries not caught in the logs or other security measures may be picked up in the keystroke loggings. But this brings up even more questions: What type of notification should there be? +++++++++++++++++++++ Is the banner enough? Is more notification needed? Way back when, it was determined system administrators should give notice (in the form of a banner or some such publicly visible medium) that e-mail and files are not secure on the system and are open to incidental inspection by the system administrator in the course of system maintenance. Most people expect this and trust the system administrator enough to feel that he is not reading their mail for kicks. The banner is enough of a notification in this instance since monitoring does not take place in real-time. Unlike monitoring on the phone system where it happens as the voice is transmitted, e-mail and file monitoring takes place often when the user is not on so that instant notification is not possible (or even warranted in most cases when it happens in the course of system maintenance). Keystroke logging differs in that it takes place in real-time while the user is logged on. Is a banner enough notification? I would argue no. While using the phone system, if an operator comes into your call, his/her presence is announced with several tones and the name of the company. The law requires that any taping of conversations to be accompanied by a tone every so often of a specific duration. The logging of keystrokes is the same type of monitoring, and should be subject to the same requirements. The user should be notified in real-time that he is being monitored in real-time. Any type of monitoring without such a warning is usually called "wiretapping," and such monitoring is illegal except by law enforcement agencies with a court order allowing the event after cause is shown. Many people would contend: "But this is a privately owned system, not a public utility." Yes, but there is reasonable expectation of privacy allowed even in the workplace. I'm too lazy to look up the court cases (and I'm not a lawyer, so I don't care either), but there are multiple instances where searches of employee desks and lockers and the like were determined to be a violation of privacy rights. A company could clearly not monitor the voice transmissions of an employee's telephone but could log the number he called. In the same way, a system administrator could log login attempts, but should not be given free license to monitor the actual keystrokes. It violates the reasonable rights of the employee. Even high school students are given reasonable rights in the expectation of privacy of the contents of their lockers and person. Well, unless you went to Catholic high school like I did + never tell a Jesuit he can't do something (unless you like corporal punishment). Extensions of keystroke monitoring +++++++++++++++++ Given the fact that keystrokes are passed over the internet in the form of IP packets generated by telnet (and other comparable applications), does this allow keystroke monitoring at a remote site? In other words, can routing centers sniff packets at will if they inform the other sites they are going to? According to the interpretation given by the justice department, yes, they can. They can monitor keystrokes. The argument would be there is a reasonable expectation for keystrokes to appear in an IP packet, so all of them are open to examination if a banner is presented or prior notification given. Does apple.com want ibm.com to monitor its packets? Nope. Does a prof at Purdue want a prof at Champaign to monitor his? Nope. However, if a packet goes through someone's machine (possible since many machines are used for gatewaying and routing) he could argue that he had the right to sniff it. Can pay services monitor your keystrokes legally? Say CompuServe or America Online or Prodigy or another fine reputable service put this measure in place. These services are comparable to a public service such as a bookstore (which was proven in litigation with CompuServe) or a phone company. Don't they then have the responsibility to respect the privacy of the customers? If you walk into K-Mart they can't strip search you at their whim. The phone company can't (legally) listen into your conversations. Is keystroke monitoring without real time notification to be allowed on these systems as well? An argument may be: "But security cameras are allowed to videotape customers" Ah, yes! But that is a different scenario: 1) The videotaping does not center on a specific individual. As stated before, to monitor the keystrokes of everyone would be near-impossible. 2) The store is a publically accessible place, and there is no reasonable expectation of privacy except to your person. Why is there a reasonable expectation of privacy on a computer system? Well, what are file permissions for? To keep one's files and stuff private. Just as a lock on a desk or a closed door intimates privacy, so do file permissions. If a system is truly public as a Sears or WalMart, there would be no file permissions. There would be no accounts with names on them giving ownership. Ownership implies a right to security from trespass and interference. There are many arguments to be made for privacy expectations on computer systems that I won't go into here. Let me just clarify "truly public" as I used it in describing Sears and WalMart. By "truly public" I mean that they may not turn away anyone entering their property without good reason. They may not discriminate, and being employed by them is not a criteria for entering their sales area. Customers are allowed to move unimpeded throughout the sales area, and customers do not get lockers to put stuff in on a daily basis which are provided by the store. In other words, their is no private ownership on the part of the customer within the store except for what he carries on his person. This is comparable to being in a public area. The comparison I am making believes that being inside a computer system is not comparable to being in a public area if ownership of files and accounts are given. Conclusion +++++ While I realize that CERT was merely passing on the findings of the Justice Department, I have to question 1) the presentation of those findings including giving almost a "non-liability kit" in their advisory, and, 2) the findings themselves. Anything is defensible. Charles Manson had a defense. However, even if the act is defensible, it may still be illegal. Defensible merely means "there is a reasonable expectation that consideration will be given to your side." I think CERT went a bit too far in suggesting a banner and not bringing up possible consequences. I tried to "balance" the situation here. For any company, I would seriously advise you to consult an attorney before you implement this type of monitoring, and to think about what effects it could have. It may weaken security rather than improve it. As a system administrator (albeit a tiny system consisting of myself, 4 friends, my sister, and my girlfriend) I would not implement such a scheme since I feel that it would be illegal without real-time notification, and such real-time notification is, quite frankly, a pain to give to someone using an editor without disrupting their session or their train of thought. In a nutshell, the point is this: just because it's defensible does not mean it's legal, and in this case I feel that it just might be illegal. ------------------------------ Downloaded From P-80 International Information Systems 304-744-2253