FBI Remotely Installs Spyware to Trace Bomb Threat 325
cnet-declan writes "There have been rumors for years about the FBI remotely installing spyware via e-mail or by exploiting an operating system vulnerability from afar — and now there's confirmation. Last month, the FBI obtained a federal court order to remotely install spyware called CIPAV (Computer and Internet Protocol Address Verifier) to find out who was behind a MySpace account linked to bomb threats sent to a high school near Olympia, Wash. News.com has posted a PDF of the FBI affidavit, which makes for interesting reading, and a summary of the CIPAV results that the FBI submitted to a magistrate judge. It seems as though CIPAV was installed via e-mail, as an article back in 2004 hinted was the case. In addition to reporting the computer's IP address, MAC address, and registry information, it also gave the FBI updates on which IP addresses the user(s) visited. But how did the FBI get the spyware activated and past anti-virus defenses? Two obvious ways are for the Feds to find and exploit their own operating system backdoors, or to compromise security vendors..."
How long will it be before ... (Score:5, Insightful)
Open letter reply to that kind of law (Score:5, Insightful)
The Germans already proposed something like that. It was retracted when they realized that it pretty much opens the door to any kind of espionage, and that this could quickly turn AGAINST them.
No backdoor is secure. Word will get out and it will be abused. Worse yet, if you force AV and firewall manufacturers to keep that hole unplugged, you open yourself and all the businesses in your country to industrial sabotage and espionage.
Think the feds are THAT stupid? Even if, do you think their lobbyists will allow them to?
Re:Open letter reply to that kind of law (Score:5, Funny)
Re: (Score:3, Interesting)
Yes, to both! The lobbyists aren't exactly rocket scientists themselves.
Not rocket scientists ... politicians. (Score:2)
That just means there's more need for more legislation tomorrow to fix that problem.
And the cycle never ends.
Re: (Score:3, Insightful)
So if anything, they'll want this on the PCs of normal people, but certainly not in a system they might use themselves!
Re: (Score:2)
Re: (Score:2)
Ok, jokes aside. Politicians aren't necessarily dumb. Usually they are not. They may be crooked, bought, influenced and corrupt, but few are really outright dumb. Just because they don't give a rat's rear about the people who voted
stupid, no (Score:2)
Re: (Score:2)
Re: (Score:2)
I'm sure there's something like that out there already. And each major OS has a government manual on how to 'secure' it for government use. Even OS X's manual is around 100 pages of changes to make to secure it to their standards. I haven't seen the windows one yet, but I bet it comes in a seven volume set.
Re:Open letter reply to that kind of law (Score:5, Interesting)
http://www.spectrum.ieee.org/jul07/5280/1 [ieee.org]
Re: (Score:2, Interesting)
NSAKEY (Score:5, Informative)
http://en.wikipedia.org/wiki/NSAKEY [wikipedia.org] is a good primer.
It was covered extensively at the time by the likes of Bruce Schneier and others, his comments [schneier.com] said: I think the jury is still out on exactly what was really going on; if it was an NSA backdoor, it was a pretty boneheaded one. Alternately, if it was just Microsoft being redundant, then it shows that they didn't plan very well and don't seem to understand security very well. Given the choice between the two, I think boneheadedness on MS's part is more likely.
Re: (Score:3, Insightful)
NSAKEY (Score:4, Informative)
Where have you been [wikipedia.org]?
Re: (Score:2)
Then they came for net access records, you did not care because you don't need privacy there
Someday they will come for you, and there will be no one left to care
Re: (Score:2)
Re:How long will it be before ... (Score:5, Interesting)
Then they came for net access records, you did not care because you don't need privacy there
Someday they will come for you, and there will be no one left to care
The warrant isn't really the point. (Score:5, Insightful)
Re:The warrant isn't really the point. (Score:5, Insightful)
There is no magic at play here. If it's a secret, someone can learn it. If it's a method, someone can learn it. If it can be done by one, it can be done by all and whether or not you trust your government or your legal system is almost irrelevant to the larger point. If there exists that serious of a chink in your armor, SOMEONE will exploit it and it may not always be for the right reasons or by the right people.
Re: (Score:3, Insightful)
Re:How long will it be before ... (Score:4, Interesting)
I'm kind of new here (Score:5, Insightful)
What exactly do you want?They got a warrant. Isn't that kind of oversight what we want? I don't understand why you think making a comparison to the Gestapo (and did they really have warrants?) adds a single thing to the conversation.
Please tell me what your solution is, so I can put your comment in some kind of context. I've seen it and its like from several other posters, but not a single one of them goes on to make a coherent argument after making it, and neither did you.
The FBI has a job, in this case it seems a job that we'd all like them to be proficient at, that of preventing bombings. They pursued evidence through the correct channels, got a warrant, set up an operation, and did their jobs. In light of that, doesn't the "Gestapo" comment seem a bit reactionary and irrational?
So what the hell is with the specious Gestapo comparison? Do you think someone's rights were violated somehow, or the FBI overstepped their authority, or what exactly? Or is it vogue here to toss out inflammatory comments for no reason other than to provoke a reaction? I thought that's what the "troll" mod was for?
Lastly, the Gestapo also pandered to the fears and insecurities of the populace, so I'd be careful throwing around such comparisons if I were you.
Re: (Score:3, Insightful)
You know what I want? I want to be able to TRUST that the executive branch of the government (law enforcement included) really has what's best for the country in mind, but I'm just not feeling it.
The executive branch of our government has recently, been found guilty of large scale domestic spying "for the greater good", torture, and any number of other egregious offenses. Of course, it's up to some interpretation I guess, but I say they're blatantly illegal offenses at worst and c
Re:How long will it be before ... (Score:5, Funny)
[2] Then they came for the end-of-sentence punctuation Nazis, and I did not care because I punctuate my sentences.
[3] Then they came for tense agreement Nazis, and I did not care because I know that 'do not need privacy' (even abbreviated as don't) is present tense while 'did not care' is past tense.
Then I realized that it matters not, because if someone can't read, they aren't going to care about net access records regardless of the privacy issues.
Re:How long will it be before ... (Score:5, Insightful)
I only use my credit card to pay for my phone bill. So why should I be against complete surveillance of CC payments? Hey, it doesn't affect me, ya know?
I only...
User (Score:3, Insightful)
My guess is that nothing quite so sophisticated was necessary since the user downloaded and ran an unknown attachment from an email message
Occam's razor at work (Score:4, Insightful)
Assumption 1: He doesn't know jack about computer security like 99% of the users out there and simply clicks everything sent to him.
Assumption 2: The FBI keeps a hole open in Windows that only they know about.
Assumption 3: AV vendors are forced to keep holes open, as well as firewall vendors and everyone else who could technically find it.
Assumption 2 and 3 bear a heavy load. Assumption 2 implies that EVERY Windows OS can be remotely exploited. Now, it IS possible to reverse Windows. And since there are Windows emulators out there that can handle calls to functions most people don't even know exists, it's safe to assume that quite a few people already reversed some parts of Windows. A hole would have been found by now. More important, such a hole could easily be used against US companies when, say, China finds them and uses it to eavesdrop on confidential data. If such a hole existed, the first thing the FBI would do is make sure that no US company dealing with critical or sensitive information (nuclear, biological, you name it) uses Windows as their main operating system.
Thus I consider it rather unlikely.
Assumption 3 includes that every AV vendor on this planet knows about the hole/malware and keeps his mouth shut. Now, a good deal of such AV vendors sit in countries that are not the US, worse, some of those countries are economical competitors to the US. Think they'll keep silent? Or that they would include it into their software? Hardly likely.
I'd stay with assumption 1: He was careless, clicking on everything and running no AV kit.
Re: (Score:2, Funny)
Who needs the FBI for this? Microsoft have been doing this all by themselves for years...
Re: (Score:2)
Re: (Score:2)
First, "security" software in win32 is not impermeable.
Second, let me reassure you if the Feds considered you and I "persons of interest" they have the tools necessary to collect information on your online activities regardless of firewalls and antivirus software.
This isn't some kind of conspiracy. It's a matter of fact and it has been this way for at least a decade. If that seems implausible, then you need to readjust your b
Re: (Score:3, Informative)
Most likely the case.
However:
Why is Microsoft's DoJ settlement supervised by a FISA court judge (Kathleen Kotar-Kelly). These judges are the only ones cleared to review cases where espionage techniques may be revealed and there is a need to keep such information out of the public record.
Re: (Score:3, Interesting)
Re:Occam's razor at work (Score:4, Insightful)
Re: (Score:2)
Hold it, hold it... (Score:4, Interesting)
Heuristics and spyware (Score:5, Insightful)
Would it even be necessary to compromise security vendors? While heuristics and malware detection has been something long promised, it is my understanding that the vast majority of security software works purely by comparing against their dictionary of known attacks. If the police have highly specialized, very limited deployment spyware, it seems that most security software wouldn't have any inkling that it's malware in the first place.
I have no doubt that organized crime and government agencies are aware of and abusing exploits. Given that they don't blast it to the world like a giddy teenager looking for attention, no one knows what to look for.
Re: (Score:2)
Re: (Score:2)
In other words, for software doing something like this to be NOT found, it would have to be whitelisted. At least for most AV tools this is the current situation.
Click here for free movies! (Score:5, Funny)
Subject: Click here for free movies!
Attachment: not_spyware.exe
Hello! You have been selected to receive free movies at no cost to you! All you have to do is install the attached program to start downloading all the latest Hollywood hits free of charge!
Re: (Score:3, Funny)
Re: (Score:3, Funny)
"Our Investigation Was Going Nowhere Until We Thought of Posing as a Nigerian Prince," Says FBI Agent
Hello World (Score:2)
-Social engineering (either against the person, or his mother)
-Breaking into the basement^W house and installing the damn thing
-Hiding it in porn
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
Getting past defenses? (Score:5, Insightful)
Something seems fishy about the whole story, though. This guy was apparently savvy enough to use a proxy in Italy to send his Gmail bomb threat emails, so he was at least trying to cover his tracks... But he was dumb enough to open a random email attachment? It strikes me as more likely that the CIPAV is deployed through a browser exploit (or perhaps even "legitimately" as an ActiveX control or BHO, people will install anything).
Re:Getting past defenses? (Score:5, Insightful)
Just because someone does something the "average Joe" cannot or does not do, doesn't mean that he knows more than said Joe. He might just have gotten some clue from a pal, without said pal telling him the whole story.
It's simple script-kid style. Yes, some of the malware that circulates is pretty well written, but the people using it are sometimes so dumb that you wonder if they ain't better off serving fries. They're bound to be caught.
Re: (Score:2, Interesting)
> address? Criminal activity or not, ignoring that attachment
> would be a ballsy decision.
You really don't deserve be on the Internet. Really, you are
a liability to others.
Never, ever, ever open an attachment which you did not request.
It's that easy.
Not the guys only issue (Score:2)
Where's the provision for any federal police squad (Score:2, Interesting)
Is a bomb threat considered piracy?
Is a bomb threat considered treason?
Is a bomb threat considered counterfeiting?
If it isn't, there is NO Federal allocation of power to go after bomb threats, period. What the FBI is doing is not just unconstitutional, but any political leader who took an oath to uphold the Constitution is violating the only oath the
Re:Where's the provision for any federal police sq (Score:2)
Re: (Score:2)
Car jacking is a local crime. There were horse thefts when the Constitution was written -- and those aren't covered. People stole river boats, too, and those weren't covered. A
Re: (Score:2)
Re: (Score:3, Insightful)
At the Federal level it surely is, regardless of what the Supreme Court wrongfully interpreted. Let us read a very simple part of the Constitution, a document written specifically to declare what the Federal Government can do, and what it is restricted from doing:
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the fre
Re: (Score:3, Insightful)
Re: (Score:2)
1. Treason
2. Counterfeiting (of gold and silver bullion coin, the only type of money the Federal government can legally mint)
3. Piracy (on the high seas or open plains, not software or movies)
Everything else the Feds try to police is illegal and unacceptable for them to do.
Re:Where's the provision for any federal police sq (Score:3, Informative)
Re: (Score:2)
You just named the two of the worst parts of Congress from the beginning of the 20th century. Both of these items are local items per the 9th and 10th Amendments, and since the Federal government got involved, both those items are now much worse for the average citizen today than before those "laws" were enacted.
Personally, I heard a suggestion a
Doesn't take anything away from the State (Score:2)
Is this Dr. No [wikipedia.org]?
it does not give you rights, it takes rights away from the State who want to take your natural rights away.
Actually, the State never had those rights to 'take away'. It's a specific limit on p
Re: (Score:2)
Re:Where's the provision for any federal police sq (Score:2)
Oh, that old thing?
Welcome to a post-9/11 U.S. where people don't stand up for their constitutional rights because they are too busy buying duct tape and plastic sheeting.
You're right, in a sense, that the FBI probably isn't allowed to do this stuff; but, no one in authority is going to stop them.
Pretty soon, people in this country are going to have to start exercising their 2nd Amendment rights for the reason it exists: armed revolution.
Re:Where's the provision for any federal police sq (Score:2)
Re:Where's the provision for any federal police sq (Score:2)
I'd worry more about the enormous back doors in your constitution before you started worrying about back doors in your OS.
Re: (Score:2)
The original section (533) specifically gave the Attorney General the power to build a police force to protect the United States, which has no grounds in the Constitution for being a federal power. The 9th and 10th Amendments see to that.
The PATRIOT Act is also drivel, blatantly unconstituti
Re: (Score:2)
Re: (Score:2)
The Federal Government has no power to police threats OR murder, Constitutionally. Murder is defined by the People and the Individual States per the 9th and 10th Amendments. This is why abortion should be the People's or the State's right to define -- the definition of murder can and should vary State to State. Threats, to me, are free speech issues, but I have no problem with an individu
Re: (Score:2)
Per the Federalist Papers and the Madisonian debates before the Constitution's finalizing, the definition of general welfare was "for the diversity in the faculties of men, from which the rights of property originate."
The idea of general welfare was for the Federal government to PROTECT, not instill, the rights of property and the rights of man to use his diverse faculties to provide for a better life for himself. It was not for any State
Re: (Score:2)
Interesting speculation (Score:2)
The Feds would have the $$$ and be able to hire the skill labor to build some pretty sophisticated spyware tools. On the other hand, I wouldn't be surprised to find out Microsoft included a back door in Windows. That rumor has surfaced before.
The problem with either of those options is if they get out in the wild. How many people have access to those tools and how is their deployment managed? Who wouldn't be tempted to do a little sideline testing if they had those goodies in their tool chest.
FBI == Criminal Gang (Score:2)
Re: (Score:2)
Re: (Score:2)
And if you hardwire it to accept only a handpicked few addresses, it turns from something you can claim as a "bug" into something that is invariably a spying tool
Not necessarily. The US government owns a fairly large block of IPs. It could be a bug in some optimised packet processing code that 'accidentally' caused packets from a certain /8 with a certain header to be injected into the instruction stream. It's just a 'lucky accident' that the /8 happens to correspond to one containing all of the FBI's computers...
I'm not saying they do it this way (or at all), but that's probably what I'd do.
Woot! (Score:3, Funny)
A far more likely way (Score:2)
Why is this even on /.? (Score:3, Insightful)
Law enforcement is very deep into every aspect of computer activity. It's been this way for more than a decade.
The
The Problem (Score:5, Interesting)
The problem is that technology is getting closer to us all the time. The barrier between man and machine is becoming much narrower. And that is a good thing. At the far end of the spectrum people have long been getting artificial hearing enhancers, and now we are starting on intelligent artificial eyes and limbs. People with epilepsy are getting electronics embedded in their brains. At the nearer end of the spectrum, a large percentage of the population now carries a small computer with them everywhere (their cell phone). The man/machine split is disappearing.
So what? Well, we have a problem developing if the government assumes that anything that does not have your genome is fair game for them to crack. Today it is the suspect's computer. This already poses a problem if the suspect is, for example, engaged in legitimate contracting for some corporation - should the government have the right to compromise the security of that corporation because one of their employees is breaking the law?
But what of the more tightly coupled technology? Should the government be allowed to plant a bug in my hearing aid? Should they be allowed to tap the signals coming from my artificial eyes? Should they be allowed to monitor the same brain activity patterns that my seizure mitigating device monitors?
The problem is that we are becoming more closely coupled with technology, and that is a good thing. We are the first species in history to actively engage in our own evolution. But if we cannot trust our technology, it creates a barrier to that evolutionary step. I have the right not to self-incriminate. But if a computer is part of me, where does the line get drawn?
Read the real version of the story (Score:5, Informative)
Where is the 'Duh' tag? (Score:2)
Privacy vs. security (Score:2, Flamebait)
I'd be rather upset, if an American government agency were unable to find a way to find a (legal) way to penetrate an American-made operating system with or without cooperation of American computer-security firms to investigate bombs threats against an American school...
Yes, privacy is very important — unless you are dead, that is...
To protect a few hundreds of innocents from McCarthy-like harassment, America shackled its intelligence services in the past, which appears to have contributed substan
Happening right now. (Score:3, Interesting)
- E-mail account made at a foreign e-mail hosting site that has an extremely terse address so as not to be hit by spambots (i.e. 4433dakjikk83726jj@somewhere.org)
- E-mails are sent from a stolen laptop through a public wireless access point that are copycats of this crime to illicit the same FBI response.
- E-mails are then checked each day from different public access points each day using a different MAC address at each access point. [The only e-mail that should be coming into this account would be the one from the FBI. Probably easy to verify by checking DNS records of the e-mails originating IP or IP block.]
- E-mail is received and copied to disk.
- Laptop is destroyed.
- CD with e-mail is then analyzed on a Linux/Unix machine that has no internet connection.
- Backdoor/exploit vector is discovered and used for "other" purposes.
Grey-market exploits (Score:3, Interesting)
Re: (Score:2, Interesting)
The smart ones do not get caught.
Re: (Score:2)
Criminals are dumb.
Make that, "Young, high school aged adolescents are known to really dumb things occasionally."
From what I can tell, the offender is 15 years old. He probably hasn't completed his "introduction to becoming a criminal mastermind" electives yet.
Bottom line, it wasn't a very thought out, or methodically planned act, but rather a kid trying to grab attention/show control by repeatedly making threats with little thought about a strategy, much less getting caught.
Re: (Score:2)
Not really. You just hear about the dumb ones. It's like with the mice and mousetraps. You only catch the careless ones.
Scary thought if you ask me.
Re: (Score:2)
Seriously now. Actually "computer criminals" that want to leech your personal information for ID theft usually don't go to such lengths. It is fairly easy, actually. You buy some space on a server in the far east or in a former Soviet Union state, where police and other law enforcements have better things to do than hunting computer criminals, and you're set. No shady rerouting, no need for an articulate botnet, just that. Your infected ma
Re:the answer is simple (Score:5, Insightful)
Re:the answer is simple (Score:5, Insightful)
Real or just FBI PR? (Score:3, Insightful)
Re:the answer is simple (Score:5, Funny)
From the summary:
A MySpace account linked to bomb threats sent to a high school.
Chances of this system being secure, updated, well-managed? 0
Chances of this system being a Gateway laptop that takes 10 minutes to boot, loads 5 IM apps on startup, has 4 different IE toolbars, and constantly warns that the Norton Antivirus subscription lapsed 16 months ago? Our survey says yes!
Re: (Score:3, Interesting)
Re: (Score:2)
And if he was using Linux or a Mac, most likely that malware wouldn't have worked.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Though what's better, freedom or the golden cage? We ain't far from the ability of total surveillance, to make sure that everyone complies with the law (whatever it may say). It's far from impossible. We do have the technology to create the world
Re: (Score:2)
Funny thing about might, it don't always equal will.
I might also be sitting here right now in a perfectly normal neighborhood, without any craters beyond the ones my dogs are digging. I might win the lottery . . . one day.
I might live in a country that stops to consider the "why" of bad behavior, instead of just the "how to" of
Re: (Score:2)
So, now excuse me, I gotta go buy more tinfoil.
Re: (Score:3, Funny)