FBI Dad's Misadventures With Spyware Exposed School Principal's Child Porn 346
nonprofiteer writes "This is a crazy story. An FBI agent put spyware on his kid's school-issued laptop in order to monitor his Internet use. Before returning the laptop to the school, he tried to wipe the program (SpectorSoft's eBlaster) by having FBI agents scrub the computer and by taking it to a computer repair shop to be re-imaged. It somehow survived and began sending him reports a week later about child porn searches. He winds up busting the school principal for child porn despite never getting a warrant, subpoena, etc. The case was a gift-wrapped present, thanks to spyware. A judge says the principal has no 4th Amendment protection because 1. FBI dad originally installed spyware as a private citizen not an officer and 2. he had no reasonable expectation of privacy on a computer he didn't own/obtained by fraud."
I'm still trying to wrap my brain around... (Score:5, Insightful)
Re:I'm still trying to wrap my brain around... (Score:5, Interesting)
Or.. or... The computer repair shop doesn't know what they're doing
My money's on it's something like this [theregister.co.uk]
Re:I'm still trying to wrap my brain around... (Score:5, Insightful)
It was left on deliberately in an attempt to spy on random U.S. citizens and collect data.
More delicious loopholes to exploit left and right!
Re:I'm still trying to wrap my brain around... (Score:5, Interesting)
...the spyware surviving a cleaning by a computer repair shop and the FBI...
It was left on deliberately in an attempt to spy on random U.S. citizens and collect data.
Or.. or... The computer repair shop doesn't know what they're doing.
And/or... (more chillingly) The FBI doesn't know what they're doing.
Re:I'm still trying to wrap my brain around... (Score:5, Insightful)
I find it far more chilling if the FBI knew exactly what is was doing: lying to the judge about having deleted the spying software to set a precedent for doing this wholesale, using a case where the judge would likely be extremely biased in their favor.
Re:I'm still trying to wrap my brain around... (Score:4, Interesting)
Sounds like the FBI probably did a simple wipe by their IT and never gave it a s3cond thought that this spyware was so durable. The standing that it was OKed is so condtlitional it would never survive a wider scrutiny. In other words: Dumb luck prevails.
Also, the computer was school owned. The game would have been much different if it were private. It's akin to catching the principal doing it on the school's library computers.
Re: (Score:3)
Re:I'm still trying to wrap my brain around... (Score:5, Informative)
Re:I'm still trying to wrap my brain around... (Score:5, Informative)
Re: (Score:3)
Re:I'm still trying to wrap my brain around... (Score:5, Informative)
I once bought a computer from a small shop which I intended to use as a linux server. The shop put windows on it as a test and right before they gave it to me told me they would wipe the disk "so I couldn't use their copy of windows". The guy hit enter on some erasure program and immediately said "okay thats done" so obviously it wasn't erased, just unlinked.
Re:I'm still trying to wrap my brain around... (Score:5, Insightful)
Re-imaging is a kind of factory reset, in this case, to what the school's IT department says is a standard load for these kinds of school computers. Which may also be no special load, just reset Windows to a fresh install.
Generally, though, only Windoew+ whatever the school had would be installed. Executables generally would not be preserved -- that's the point of a reimage. And data preservation probably isn't done unless specially requested, which doesn't include installed executables anyway.
In spite of all this and the nasty subject, I'm still not comfortable giving the spying government official the benefit of the doubt rather than the spied-upon citizen. It is hardly shocking to anyone to suggest he may be lying out his ass.
Re: (Score:3)
so, when a laptop is malfunctioning or just needs to be reset, they restore an arbitrary backup copy from some random child from the previous school session?
ya, sounds plausible.
Re: (Score:3, Informative)
#!/bin/bash
echo "Wiping drive sda...Do not interrupt."
dd if=/dev/zero of=/dev/sda
dd if=/dev/one of=/dev/sda
echo "Performing 7 random overwrite passes...Do not interrupt."
for i in `1 2 3 4 5 6 7`
do
dd if=/dev/random of=/dev/sda
done
echo "If you did not interrupt the process then the drive wipe has completed successfully."
exit 0
Re:I'm still trying to wrap my brain around... (Score:5, Informative)
[quote]dd if=/dev/random of=/dev/sda[/quote]
I would suggest using /dev/urandom as the random number generator used by /dev/random will likely run out of entropy long before the first pass completes.
Re:I'm still trying to wrap my brain around... (Score:4, Insightful)
$ for i in `1 2 3 4 5 6 7`
> do
> echo ${1}
> done
1: command not found
$
Instead, try a Bash loop like this (which is also less typing):
for i in {1..7}
do
dd if=/dev/urandom of=/dev/sda bs=2M
done
I believe something like bs=2M (writing two mebibytes at a time) will significantly speed the process up in most cases.
Re:I'm still trying to wrap my brain around... (Score:4, Informative)
Will the above take seconds, hours, or a century?
Not sure about a century, but months seems likely on a modern disk.
1) dd without a fairly large block size is very slow at copying hundreds of gigabytes of data.
2) /dev/random (on Linux, anyways) only gives as much random data as it can generate from the entropy available to it -- which isn't much. /dev/urandom would be much faster (and more than random enough, especially after seven passes.)
Re: (Score:2)
Your money is now ours. Pay up.
The article and the summary state explicitly which software was used [spectorsoft.com], and its no where near as smart as the the stuff you linked. It only works with windows.
Re: (Score:3)
Or the repair shop knew that it wasn't going back to somebody who cared, and decided to be half ass and didn't touch it at all while saying they did.
This kind of thing is typical in computer repair shops.
Re:I'm still trying to wrap my brain around... (Score:5, Interesting)
Re:I'm still trying to wrap my brain around... (Score:5, Funny)
This has restored my faith in the capabilities of the FBI /sarcasm
Re:I'm still trying to wrap my brain around... (Score:5, Insightful)
Keep in mind this wasn't exactly the computer specialist division of the FBI, considering he had to take it to a computer repair shop to get them to fix it. TFA says he asked his colleagues, without knowing anything more I'd assume they don't work in the "cybercrime" division. So more like it survive cleaning by some random individuals and a probably-incompetent computer repair shop (Geek Squad or similar, they probably thinking knowing how to use regedit makes them computer "experts".) The FBI as an organization was completely uninvolved.
Re:I'm still trying to wrap my brain around... (Score:5, Insightful)
A group operating in the FBI that is supposed to know something about computers is CART - Computer Assist Response Team. Now I happen to know that if you take a computer to someone in CART and want them to do something like this it will certainly happen - in about six months when they have a few moments.
The backlog of high priority prosecutions is that deep.
So, do you think this guy got the full attention of someone within the FBI that knew what they were doing for more than two minutes? I doubt it. I don't care if he is in the FBI - there are lots of people in the FBI and most of them don't count for much when compared against current work that someone is waiting for. Sending people to jail is always more important than fixing some colleague's computer.
Re: (Score:2)
Why in the world did the FBI even have to get a repair shop involved in the first place? Was the task of reimaging a computer truly that daunting for them?
Re:I'm still trying to wrap my brain around... (Score:5, Interesting)
...the spyware surviving a cleaning by a computer repair shop and the FBI...
Pretty astounding, when you consider he knew what he installed and it comes with de-install directions [spectorsoft.com].
Quoting the FAQ:
Tamper-Proof Technology
eBLASTER does not show up as an icon, does not appear in the Windows system tray, does not appear in Windows Programs, does not show up in the Windows task list, cannot be uninstalled without the eBLASTER password YOU specify, and eBLASTER does not slow down the operation of the computer it is recording. eBLASTER does not initiate connections to the Internet and will only forward email and send activity reports when the monitored computer is already connected to the Internet. All of these features make it extremely difficult for unauthorized users to locate and/or remove eBLASTER.
Re-imaging the computer from original installation media should have done it, but I suspect that the shop he took it to did not have
that media, or the Certificate and wasn't about to use their own copy, and simply removed the user account.
I can see the FBI not wanting to waste their time and resources on what was his personal project, and sent him to a private shop.
Good on them if that's how it went down.
But the guy running that private shop might be open to a civil suit by the principal.
Re:I'm still trying to wrap my brain around... (Score:5, Insightful)
Re: (Score:2)
Just because he works for the FBI doesn't mean he is computer literate. The majority of them are nothing more than federally paid beat cops doing missing persons investigations and helping out when other LE can't do the investigation themselves. I think you and others are giving him too much credit because he works for a three letter government agency.
My post suggested that even Joe Sixpack should be able to uninstall what he installed, given that the directions are included with
the product and on the product's web site.
However.....
FBI agents are far from beat cops. The requirements state [fbijobs.gov] that you must possess a four-year degree from a college or university accredited by one of the regional or national institutional associations recognized by the United States Secretary of Education. You must have at least three years of professional work experience. Y
Re:I'm still trying to wrap my brain around... (Score:4, Interesting)
I can't figure out why Windows lets a program remove itself from the list of programs in the task list. WTF!
I wonder if windows fudges the task list CPU numbers to add up to 100%?
Re: (Score:2)
Before returning the laptop to the school, he tried to wipe the program (SpectorSoft's eBlaster) by having FBI agents scrub the computer and by taking it to a computer repair shop to be re-imaged. It somehow survived
This kind of incompetence is absolutely baffling to me. Putting SW into a computer that you don't know how to remove? Being unable to remove it by wiping a disk (while working at FBI to boot)? Being unable to pick a repair shop that can actually image disks? Not making an image in the first place before you put something you don't know how to remove? I'm stunned.
Re: (Score:2)
I thought maybe it was in firmware but that doesn't explain how it phoned home.
Re: (Score:3)
Re: (Score:2)
nope, Windows even has a little program that will automatically wipe the settings and computer account and boot windows like its fresh out of the box making you think its a new computer.
don't have to delete anything manually
forgot the name but years ago it was used for imaging to make sure the computer account was different
Re: (Score:3)
It's called setup.exe and in the root directory of any Windows CD...
Re: (Score:2)
Re: (Score:2)
Re:How to succeed as an FBI agen: a tutorial (Score:4, Interesting)
Dear random slashdot user,
The government isn't out to get you. They have better things to do. This story is anecdotal and at best a good laugh since some good came from it. Please refrain from making generalized statements about things you know zero about.
Thanks,
People who actually have dealt with the FBI
Fraud? (Score:5, Insightful)
Shouldn't the shop that supposedly "re-imaged" it busted for fraud? One also might wonder why an FBI agent is using internal FBI resources to "scrub" a non FBI machine that isn't part of an investigation. Finally, these morons don't know about DBAN???
Re:Fraud? (Score:5, Funny)
No, but they seem to be experts at DBAG. :-P
Re: (Score:2)
These programs are malware and spyware and use the same methods to stay on as virii. The difference is they are legit so AV programs do not flag them. It could hide in the boot record as a trojan or hide in a restore point and be later re-installed when a user uses it. My guess is the IT team at the school simple uses restore as a quick and efficient way to wipe it before the student received it.
Re: (Score:2)
These programs are malware and spyware and use the same methods to stay on as virii.
You mean, they hide in you spellchecker, occasionally causing it to malfunction?
Re: (Score:2)
> We should all see the problem with that last sentence, which I had no idea was true until now.
> Especially because we use legitimate software that DOES get flagged
My favorite was trying to bring a copy of clamav (definitions) into our internal lab. I didn't realize the linux desktop build here had a virus scanner installed (I have never installed one on a linux box except to scan incoming file for other environments).
I copied it down to my transfer directory, then I went to copy it into the lab.
Perm
Re: (Score:3, Interesting)
DBAN is not foolproof. Just the other day I started it up, and the kernel didn't register my hard drive. Started happily erasing my boot stick, and I never would have realized the difference had I not been paying attention.
(Had to go tweak the BIOS a little)
Re:Fraud? (Score:5, Informative)
He didn't use internal FBI resources, hence the computer repair shop. He asked his friends at the FBI if they knew how to clear the laptop. They didn't, so he took it to the shop. That's hardly using FBI resources (the summary is more than a little misleading).
Agreed on the shop, they sound pretty incompetent.
Re: (Score:3)
One also might wonder why an FBI agent is using internal FBI resources to "scrub" a non FBI machine that isn't part of an investigation
Because it wasn't a big deal? Because he wanted it done right and mistakenly thought the FBI could get it done? For all we know, a tech he knew did it after hours.
I think the much larger concern is that the result wasn't a completely wiped laptop.
Re: (Score:2)
Re: (Score:3, Interesting)
Shouldn't the shop that supposedly "re-imaged" it busted for fraud? One also might wonder why an FBI agent is using internal FBI resources to "scrub" a non FBI machine that isn't part of an investigation. Finally, these morons don't know about DBAN???
I've been a Slashdotter for 15 years and I had never heard of DBAN until reading your comment and Googling it. Your other two points are pretty solid, though. What the hell happened?
Re:Fraud? (Score:5, Interesting)
I work for the FBI, and while I am not familiar with this incident, I'm pretty sure there will be some administrative inquiry into misuse of gov't time & resources, especially since it has made us look bad in the press. I'll have to wait for the next quarterly report on ethic violations (which are always hilarious to read, some people are fucking idiots).
Re: (Score:3)
What misuse of gov't time & resources are you talking about?
He installed the software himself on his kid's loaner notebook to keep track of his kid's activity (you see, the FBI guy is also some kid's daddy, and he wants to know in case somebody solicits his kid in a chatroom).
Then he asked a buddy at work if he knew how to remove the software before returning the notebook to the school; apparently Joe didn't know, so he brought it to a local computer repair shop and asked them to do it for (his own) cas
Re:Fraud? (Score:5, Insightful)
Shouldn't the shop that supposedly "re-imaged" it busted for fraud? One also might wonder why an FBI agent is using internal FBI resources to "scrub" a non FBI machine that isn't part of an investigation. Finally, these morons don't know about DBAN???
I've been a Slashdotter for 15 years and I had never heard of DBAN until reading your comment and Googling it.
Yea, but do you run a computer repair shop?
If not, it's fair to assume you've never heard of DBAN; however, if your income is based in an industry for whom re-imaging computers is standard practice, having not heard of DBAN is a nigh unforgivable offense (and a damn good reason to avoid your shop in the future).
Re:Fraud? (Score:5, Interesting)
They might well understand about DBAN. However, this is what I think happened. The last paragraph is most important.
Something like this is likely as not what happened:
FBI dad is sent to "Saipan in the U.S. territory of the Northern Mariana Islands", an FBI office with three agents and a manager. FBI dad installs spyware on kid's school computer. FBI dad is transferred to new location. He goes to his friends in the local FBI office and asks them to scrub the computer. Either A) there aren't any FBI computer experts in Saipan (quite possible), or the local expert says, "I can wipe it, and I could run the restore software, but there's software on there the school installed that I don't have the disks or licenses for. Take it to a local laptop shop."
FBI Dad takes it to the local shop and says, "I want it restored to what it was like when my kid got it", or "I want you to wipe all my kids info off this laptop", or something similar. They say, "We'll do our best." They have the same problem the FBI expert has. If they DBAN the drive, they could destroy the restore partition, and they won't be able to reinstall the school-installed software. If they run the restore partition, the laptop is like it was before the school got it, and they still won't be able to reinstall the school-installed software. So, they remove all personal data and uninstall all software they think the school didn't install. Maybe they spot the spyware and think it is school installed, maybe they don't spot it, maybe they spot it and try to uninstall it, but instead of uninstalling it hides.
Regardless, they remove what they can without destroying the school-installed software and return it to FBI dad. He returns it to the school. Hilarity ensues.
Slashdot readers read a non-technical report on what happened, written by a non-technical writer, who got his information from non-technical reports made by yet more non-technical people, treats it as if the entire report is completely accurate and all technical terms used correctly, and more hilarity ensues.
Seth McFarlane? Is that you? (Score:5, Funny)
So let me guess: the guys's name is Stan, the kid's name is Steve and the principal is called Brian?
Re: (Score:2)
Wrong agency (it would have to be CIA to get the hat trick.)
Good call anyway - American Dad was the first effing thing I thought of when I read TFA.
So now, (Score:3, Insightful)
Every law enforcement parent will install spyware on his kids' school computers and "forget" to remove the spy software.
Re:So now, (Score:4, Insightful)
Every law enforcement parent will install spyware on his kids' school computers and "forget" to remove the spy software.
Wait for the decision in the case. That will say what will or will not happen.
Given your assumption (which is a good one), law enforcement will suddenly declare that nearly ALL findings of anything related to ANYTHING illegal (child porn, money laundering, pro-terrorist crap, some LE's wife cheating on him, etc) were due to "accidental placement and failed removal" of spyware.
Two stories here (Score:2, Insightful)
The story enclosed within this one is that (a) the FBI is unable to effectively scrub FBI spyware installed by an FBI agent, and (b) the computer repair shop charged an FBI agent to scrub and reimage a laptop, and then apparently just moved it from the To Do shelf to the Done shelf.
Re:Two stories here (Score:5, Informative)
Yes, that or the submitter deliberately misquoted the article:
"Auther first took the laptop to his FBI office and asked his colleagues how to wipe it clean. Apparently they don’t have many cyber experts in the Mariana Islands, because they were unsuccessful. So Auther had to instead take it to a computer repair shop, which cleaned out the old files and allegedly reimaged the hard drive to return it to its original settings."
Sounds to me like there wasn't any professional FBI 'scrubbing' involved, just some guy going to work and talking about wiping a laptop by the water cooler.
Re: (Score:2)
Re:Two stories here (Score:4, Insightful)
Re: (Score:2)
> Most laptops these days have a recovery image on a separate partition of the hard drive. It would not be beyond belief that the spyware the agent used injected itself into the recovery partition so it would re-install itself.
Nod. In fact, it would be rather silly for a spyware developer to *not* do this.
Re: (Score:2)
> The FBI 1) spied on a US citizen without a warrant and 2) a US court said that was fine because it wasn't on his computer.
Isn't that what I said? Or was I being too subtle?
> Europe is looking mighty good about now.
You seriously believe Europe is better in this regard?
Defined by their employer... (Score:3)
I was originally going to post that TFA makes it clear that this was a case of a person who happened to be employed by the FBI, finding himself in this situation, but is just described by TFS as "an FBI agent" — it made me wonder whether someone should be defined by their employer.
It rather broke down for me when TFA starts saying how he got "all flashy with his FBI badge" to investigate, rather than just reporting it to the police — is this really still just someone acting as a father?
Re:Defined by their employer... (Score:4, Insightful)
Read TFA -- the Judge made a note of this. The initial report that he got was just him as a father: after that what he was doing was basically being an FBI agent. *However* even though he was, the fact that the computer was essentially stolen meant the guy had no expectation of privacy for it. anyways.
Re: (Score:3)
Another thought on this....
If we are to be honest when it comes to application of the law, and we are going to say the laptop, since it belong to a third party that didn't issue it to him, he has no expectation of privacy.... don't we also have to rewind and apply similar tests to his original action?
Did he really have any right to install the software on a machine that was owned by a third party and not issued to him? he was spying on his own kid, and I can see exceptions made for that, but he wasn't doing
Re: (Score:3)
It's sort of like an off-duty cop who happens to be in a store when it's robbed and takes action as a police officer. His initial being there is just part of being a citizen. Once the robbery started, he made the shift from citizen to law enforcement as would be expected even though he's off-duty.
the judge is kind of right (Score:5, Informative)
the prinicipal was a moron for using a school computer. if it was his own computer then a search warrant would apply.
with no warrant (Score:2, Insightful)
a cop kicks a door in and finds pot.
Cop to judge: "I did it as a private citizen!"
Judge: "Ok then. This is admissible."
So, I wonder what would happen to me if I shot that cop busting down my door as a "private citizen"?
It doesn't matter anyway. When it comes to child porn, taxes, drugs or terrorism, you are guilty until proven innocent. Where are the Ben Franklin dressed Teapartiers? Why aren't they out there preaching their message about freedom over this erosion of our liberties? Or it folks are so afraid
Re:with no warrant (Score:5, Insightful)
Kicking in a door is illegal as a private citizen and is not something you would expect a private citizen to do. Installing software to monitor his kid's activities is something perfectly legal and well within the realm of what a private citizen might be expected to do. As with many laws, there's a gray area that you have to actually use your brain to determine if something is reasonable or not. There's no slippery slope no matter how much you tilt your head.
Re: (Score:3)
Kicking in a door is illegal as a private citizen and is not something you would expect a private citizen to do. Installing software to monitor his kid's activities is something perfectly legal and well within the realm of what a private citizen might be expected to do. As with many laws, there's a gray area that you have to actually use your brain to determine if something is reasonable or not. There's no slippery slope no matter how much you tilt your head.
Slight problem with that explanation - it wasn't his laptop, it was the schools.
What's the "legal grey area" answer for installing malware on someone else's machine?
Re:with no warrant (Score:4, Insightful)
What's the "legal grey area" answer for installing malware on someone else's machine?
There is none, installing software on a school-provided laptop is legal. At most it is breach of contract if the school has a policy against it, but that is a civil matter.
If there was intent to damage or to spy on someone other than the child, that would be a different matter.
Re:with no warrant (Score:4, Insightful)
Installing software to monitor his kid's activities is something perfectly legal and well within the realm of what a private citizen might be expected to do.
If the principal had installed spyware, that would be a problem. [slashdot.org] Oh, but it's a private citizen installing spyware on someone elses hardware... oh wait, that's definitely not cool either. [slashdot.org]
It seems the only reason this parent isn't getting a visit from the FBI is because he *is* the FBI. If the guy is installing spyware, he could have remotely installed the porn. The spyware itself could have been the delivery mechanism for all sorts of nasty stuff. He certainly had the means, all he would need is a motive. How do we know the guy didn't have a personal vendetta with the principal? But it doesn't matter... because the principal has already been ruined. Yaaaay! Let's all burn another witch!!
Re:with no warrant (Score:4, Interesting)
I try to be very careful about what I use other's equipment for. When I was younger I was less careful about computers, but then when i was younger there was not 10 years of ruling saying that there is no expectation for privacy if you use employers stuff. For instance, is there anything to stop your employer from listening to your telephone calls on phones the employer owns and pays for the operations. Not really. So we bring cell phones to work that we pay for completely. There is no ambiguity if an employer taps a personal phone.
Stories like this are important because it reminds us that using things we don't own for questionable purposes is not really such a good idea. Clearly older people, who grew up in a time maybe when assets were not tracked as carefully as they are today, or younger people who have not learned how carefully things can be tracked, need to hear this lesson. Clearly some believe that that you can steal equipment, use it for illegal activity, and still deserve the full protection of the law.
can't wipe a disk? (Score:3, Insightful)
FBI agents AND a computer repair shop couldn't wipe a disk?
Not buying it.
Re:can't wipe a disk? (Score:5, Insightful)
Not all FBI agents are computer wizzes. TFA said that the office he was in had no computer crimes unit which is where the computer wizzes congregate.
And it surprises you that a computer repair shop might not actually do what they say they are going to? Really?
Re: (Score:2)
i've read most of the agents are lawyers, accountants or something similar
Re: (Score:3)
Could be that the spyware is really, really well-designed. Some sort of boot sector thing, perhaps?
If the spyware was designed to be difficult to remove, and nobody was looking for it, it wouldn't be surprising that it survived something that removes most software.
Re: (Score:2)
Now that's what I call... (Score:2)
*puts on sunglasses* ... a cold dish.
Re: (Score:2)
Yeah.
My mind is melting. (Score:4, Insightful)
Re:My mind is melting. (Score:4, Insightful)
we're talking about the FBI in Saipan, the U.S. territory of the Northern Mariana Islands. no surprise they wouldn't be cyber experts nor have one, and that the parent would just take a school's laptop to a computer shop for a wipe before returning it to school. not a government computer, not U.S. government concern.
Re:My mind is melting. (Score:4, Interesting)
I won't lie: any day one of these child porn scumbags is caught is a good day.
But the real question is... are you super mega anti-child porn?
Re:My mind is melting. (Score:5, Insightful)
"The FBI" is not a monolithic thing.
He didn't take it to an FBI technician-- if he did, it'd probably have been cleaned up tight and fast. He took it into his office, where TFA says *they don't have cyber guys*. I.e., he's in some dingy little office without a cyber crimes unit. This doesn't sound implausible at all, the guy's in an FBI office across the Pacific in a US territory, not in Los Angeles.
Then he took it in to a local computer repair shop, and it doesn't at all sound implausible to me that they might have fibbed on just what they did. Instead of re-imagining it, they may have just done a quick scrub of the user settings.
"The FBI" didn't go through a two step process. A guy who is also an FBI agent went through a two step process. Not everything an FBI agent does is with the full force and resources of The FBI.
Re: (Score:3)
By your logic, every single nurse where I work should be an IT expert just because we also have an IT department. Oh wait, while they might talk to other nurses in their department about a non-work computer they probably won't bring it to the IT department to look at? How bout that, not everyone in an organization with an IT department happens to work in the IT department.
hmmmm (Score:3)
> by having FBI agents scrub the computer and by taking it
> to a computer repair shop to be re-imaged.
wow..... um.... I am really curious as to how it did this. Something smells fishy. I can understand it surviving a "scrub", since anyone who does systems work should know that there are many places in a modern os to hide, and unless you know exactly what it does and how it hides, its impossible to say for sure a system has been cleaned.
However, the pc shop? maybe they didn't really "re-image" it, but instead did their own quick "scrub" and ran something like sysprep?
Otherwise maybe they just did a reinstall from a hidden factory reinstall partition? I could see something hiding up in there but....
I dunno, it seems like it HAS to be something along one of those lines. Aside from that...if it really was incidental...well.... accidents do happen, and sometimes they end up biting the best possible people.
In any case, I think the circumstances do sound fishy, and in no way should what he caught excuse what he did if it wasn't accidental, so there should be serious investigation into that too....but I could see that just turning up technical incompetence rather than malfeasance....
That is, unless it turns up fraud on the part of the PC Repair shop.... very likely they did not do the job they were paid to do.
Some Clarification (Score:5, Informative)
The "FBI" didn't wipe his computer. He simply asked his co-workers for some help. Apparently neither he nor they were particularly tech-savvy so he took it to a computer shop. He probably asked the shop owner to remove "all of my kid's games and stuff". I imagine that this spyware tries to mask itself so that kids cant just find it and uninstall it. The shop owner probably just uninstalled all of the "games and stuff" and then returned it.
The problem is that a person who was so confused by removing software that he had to go to a "computer shop" is trying to tell you what he did. He didn't get the FBI to clean the machine, he simply asked his co-workers who didn't know either. This also happened in Saipan, not New Jersey. The FBI has a small office, not a high tech lab.
The FBI agent screwed up by not notifying authorities immediately(he tried to solve the case himself), but he was probably concerned that the evidence wouldn't hold up in court. Lucky for everyone, the Judge seems like he was willing to stretch the letter of the law to punish a clearly guilty man.
This just in: (Score:5, Funny)
Don't jump to conclusions (Score:2)
Re:This is probably common (Score:5, Funny)
I hear 90% of all statistics are made up.
Re:This is probably common (Score:5, Funny)
Only about 70% of the time.
Re: (Score:2)
I'm 95% confident that I said it was 84% of the time.
Re:This is probably common (Score:5, Funny)
Only about 70% of the time.
"Don't believe everything you read on the Internet." - Abraham Lincoln
Re: (Score:2)
That was Moses, not Lincoln. ;-)
Re: (Score:2)
Confucius said "please stop giving Lincoln credit for my sayings."
Re: (Score:2)
Second, judges throw out such claims in court all the time. The evidence should not have been permisable as the agent should be the one in trouble here for interfering with school property. If any evidence was obtained illegally then it needs to be thrown out.
Yeah, but... child porn! It's for the children!
Re: (Score:2)
Re:Bios flashed spyware? (Score:5, Informative)
However, if the FBI or PC store simply formatted it through, say, re-formatting the drive by running the Windows setup disk, then a kernel level rootkit would happily stay in-tact in this manner. In fact, to spot it, you'd really have to use some imaging software with comparison checksums so that after the the imaging it can make sure everything is as it should be. While the rootkit can happily inform that "nothing is there", it can't predict what should be there in an imaged drive, and would be caught out that way. However - thats not how 99% of us format drives, especially since most don't have MD5d images of other peoples hard disks, or don't put them in external caddies before doing so.
Re:Bios flashed spyware? (Score:5, Interesting)
The main way that rootkits survive a total hard disk format is because they're running at the time - any decent rootkit is more than able to stop a simple format from removing it simply by intercepting any parts of the format which target it, and returning OK signals. [...] if the FBI or PC store simply formatted it through, say, re-formatting the drive by running the Windows setup disk, then a kernel level rootkit would happily stay in-tact in this manner.
If they used the Windows setup disk to nuke the drive, how did the rootkit get on the DVD? How did the rootkit stay running after a reboot? You're almost on the right track, but BIOS/EFI infection is the answer you're looking for (or HDD firmware). The rootkit has to be running before any OS boots up. Even a boot-sector virus won't survive a disk-wipe, so there had to be a re-infection method.
Re: (Score:3)
You can generally reliably remove rootkits by taking the drive out, putting it into an external drive bay (so its not present on a PC while booting), connect the drive when your PC is started up and then format it with none of its code executing.
Why go through that much trouble?
Just stick a bootable optical disk with formatting tools on it in, boot from it, and then format the infected drive. No code from the drive will be running so any rootkit on the drive will be overwritten.
I don't know how the Windows setup disk works, but I find it hard to believe it'd start running the kernel that's on the disk drive that you want to format. Certainly a Linux install disk would work just fine.
A BIOS rootkit would be a different kettle of fish.
Re: (Score:2)
Or not every single FBI agent is a computer expert and he just talked with some co-workers in his department rather than having the FBI's IT team take a crack at it. Which is why they would have taken it to an IT shop.
Re: (Score:3)
They can't unless you provide the system image from the MFG or have your own system image, or have your own software discs, licenses, etc.
... or they download the generic Windows ISOs from Microsoft, which can be activated with any valid key.
That's what I do, anyway.