×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

What We Know About the FBI's CIPAV Spyware

Zonk posted more than 6 years ago | from the i-always-feel-like-somebody's-watching-me dept.

Security 207

StonyandCher writes "What is CIPAV? CIPAV stands for 'Computer and Internet Protocol Address Verifier'; a lengthy term for powerful spyware the Federal Bureau of Investigation can bring to bear on web-based crime. It was used last month in a case where someone was emailing bomb threats regularly to a Washington high school. An affidavit by an FBI agent revealed some of the workings of CIPAV. 'According to the court filing, this is [some of] what the CIPAV collects from the infected computer: IP address, Media Access Control address for the network card, List of open TCP and UDP ports, List of running programs ... Last visited URL. Once that initial inventory is conducted, the CIPAV slips into the background and silently monitors all outbound communication, logging every IP address to which the computer connects, and time and date stamping each.' In a Computerworld article, the author attempts to dissect CIPAV's purpose and raises a number of questions such as: What happens to the data the CIPAV collects? Does the CIPAV capture keystrokes? Can the CIPAV spread on its own to other computers, either purposefully or by accident? Does it erase itself after its job is done?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

207 comments

does it... (5, Interesting)

russ1337 (938915) | more than 6 years ago | (#20074271)

What happens to the data the CIPAV collects? Does the CIPAV capture keystrokes? Can the CIPAV spread on its own to other computers, either purposefully or by accident? Does it erase itself after its job is done?"

Does it run on Linux?

sorry, couldn't help myself.... but seriously..... does it?

Re:does it... (0)

Anonymous Coward | more than 6 years ago | (#20074443)

check the kernal. it may be part of the base.

Re:does it... (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#20075055)

Yep. Try http://lxr.linux.no/source/security/selinux/ [linux.no]

_NSAKEY [wikipedia.org] doesn't even compare to that. Linux kernel devs were falling over themselves to welcome that back door. In public, mind you.

/me goes to play America's Army on my SELinux-enabled TPM-chipped box.

Re:does it... (0)

Anonymous Coward | more than 6 years ago | (#20074447)

Good question: TFA:

If the suspect clicked on the link ...... an exploit for a zero-day vulnerability (or unpatched one on the suspect's PC) would have let the government download CIPAV to the target hard drive. But which vulnerability? We don't know. Conceivably, it could have been the FBI's own super-duper flaw, but Occam's razor says it was probably one of the many effective, yet run-of-the-mill, bugs in the wild. Roger Thompson, chief technology officer at Exploit Prevention Labs, took a guess. "If I had to bet, I'd bet on ANI," Thompson said in an IM interview. Good bet. The animated cursor flaw harks back only to late March, and although Microsoft patched it in an out-of-cycle update on April 2, it's effective enough to still be used by the notorious multistrike hacker exploit kit Mpack as recently as last month, long after CIPAV was deployed. :

So, in all likely hood, no it doesn't... but they might have some other exploits in their toolbox for other OS's...

Re:does it... (4, Funny)

HaeMaker (221642) | more than 6 years ago | (#20074535)

Let's find out...

"Mr. Gman from Quantico, VA has sent you an eGreetingCard from Flowers By Irene! Just open this P.D.F. file to view..."

Re:does it... (2, Interesting)

TWX (665546) | more than 6 years ago | (#20074715)

Does it run on Linux?
Even if it does, if you find one of those last-generation Motorola 68000 machines and compile your entire OS from scratch I doubt that they'll have a binary-compatible version to install on it...

Of course, be prepared to have one SETI@Home packet take about four weeks to process, and to have a bogomips rating of something like 16.9...

Re:does it... (3, Informative)

OrangeTide (124937) | more than 6 years ago | (#20074785)

insert a new system call in the middle of your syscall list, and recompile everything for it. it will break all static binaries and shell code :)

My Sparc Classic would takes minutes to establish an SSH2 connection. those big keys take a while, SSH1 was nice and fast. (50MHz no cache, no FPU)

Re:does it... (1)

mpapet (761907) | more than 6 years ago | (#20074767)

My desktop distro-of-choice doesn't allow exec privileges to email attachments. They'd have a problem with my browser if they sent an evil url too.

You bring up a good question with a very practical answer. This software was developed like all software, with time and budget constraints. If it's home-grown or COTS it definitely does the bare minimum so the fear mongering is likely unfounded. That is, until version 2.0. Aaaahhhh!!!

Let's check... (5, Funny)

Jeff Carr (684298) | more than 6 years ago | (#20074895)

$sudo apt-get remove cipav
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package cipav

Whew, safe!

Re:does it... (1)

NathanWoodruff (966362) | more than 6 years ago | (#20075417)

Just another reason why I am so glad that I still run OS/2 at home.

Nathan

Re:does it... (1, Funny)

Anonymous Coward | more than 6 years ago | (#20075505)

yeah well I created my own OS from scratch, and roll all my own applications for it too. Next project will be to create a processor from scratch too.

Re:does it... (1)

NathanWoodruff (966362) | more than 6 years ago | (#20076117)

Re:does it... (1)

morgan_greywolf (835522) | more than 6 years ago | (#20076417)

Current version of Firefox for OS/2 http://releases.mozilla.org/pub/mozilla.org/firefo [mozilla.org] x/releases/2.0.0.5/contrib/firefox-2.0.0.5.en-US.o s2.zip [mozilla.org] Nathan


Wow, you're for real.

What I don't get -- why would you still run OS/2, despite its severe lack of decent applications, incompatibilities with current hardware, complete lack of vendor support. At least with a Linux distro, you have a large developer base, decent hardware drivers for current hardware, and can purchase vendor support if you need it.

Re:does it... (1)

bhtooefr (649901) | more than 6 years ago | (#20076533)

Actually, I hear there's surprisingly good support for ThinkPads (go figure,) and the OS/2 nuts just keep porting all the interesting stuff from Linux back to it.

Also, you can purchase vendor [ecomstation.com] support for OS/2, as well.

That said, I'll stick with Ubuntu.

What about zombies? (4, Insightful)

Reziac (43301) | more than 6 years ago | (#20074289)

What happens when zombied computers are used to email such threats? who gets the blame in that case? How do you distinguish the innocent zombied-user from the trojan or virus? Would being infected constitute defense? If so, how do you prove intent??

So many questions raised by this... I'm sure others can think of many more.

Re:What about zombies? (5, Interesting)

toleraen (831634) | more than 6 years ago | (#20074453)

I think the obvious question would be "How does it get installed?"

Re:What about zombies? (2)

Reziac (43301) | more than 6 years ago | (#20074591)

How do you prove that you're the innocent victim of a zombie installer, vs. having surreptitiously zombied your own machine? the installer works the same way regardless, and ISTM it's not too difficult to determine and target your own IP address. (Or for that matter, for the gov't to do so.)

Point being, I'm wondering just how solid this evidence really would be in the eyes of the courts, with or without tech-savvy judges and lawyers.

Re:What about zombies? (3, Interesting)

toleraen (831634) | more than 6 years ago | (#20075553)

I was referring more to the question of how the FBI installs the software on your machine. For some reason picturing a guy in a black suit wearing dark sunglasses sending "OMG Pony Screensaver Inside!!1" emails doesn't cut it. If they're going for computer evidence, it seems likely that their targets would be a bit more computer literate: more up to date on patches, firewalls, etc.

Otherwise, who knows. Maybe their software has to wipe out other possible malware to be effective (wouldn't want that data they're collecting, or even the software they installed going overseas, right?). You'd hope that they would have to show that it was someone typing out the emails locally vs. remotely. But then, who's to say it wasn't the person's little brother writing the email? It doesn't seem like they'd have a lot to stand on...there should be a lot of supporting evidence going with what they collect with that software.

But in the end, don't they pretty much just have to say "We're the FBI. That's what happened." anyway?

Re:What about zombies? (1)

dnormant (806535) | more than 6 years ago | (#20075939)

Installed? Maybe it's an undocumented feature of the Windows product line. "Click here to activate."

Re:What about zombies? (1, Interesting)

Anonymous Coward | more than 6 years ago | (#20074573)

One would hope that, "because of the war against terrorism", being infected becomes a legal offense.
That would certainly increase the awareness.

Re:What about zombies? (2, Informative)

Anonymous Coward | more than 6 years ago | (#20074615)


1) re: duration of evidence kept:

This is either a troll or a rhetorical question.

Why would they need to erase it? how could you prove they didn't delete it?

I remember sitting in a Computer Law class in the early 80s. One of the things which arose (aside from writing briefs which the chair from the department and a group of landsharks would pick pieces apart & continue until it looked reasonable) One of the things discussed at that time was you could force the FBI to ensure your information is correct. Did they send you a copy of their information and let you correct it? No. You'd send the information which you believe might be outdated or incomplete and they'd update their information with whatever you sent to them.

2) As far as dealing with the charges + any other issues, remember: there are things which the gov't will prosecute you for, which are top secret and your lawyer isn't given access to the information.

don't forget #3 (1)

conspirator57 (1123519) | more than 6 years ago | (#20075229)

3) there are things the government won't bother to prosecute you for, but will instead send you either to Cuba, ER countries, or any other varieties of violation of due process that haven't made it to the public ken.

Re:What about zombies? (0)

Anonymous Coward | more than 6 years ago | (#20075559)

your briefs arose during law class ???

Re:What about zombies? (0)

Anonymous Coward | more than 6 years ago | (#20075727)

So is it open source? ;-) Couldn't resist.

Someone needs to start collecting the IP addresses they use so we can firewall off all traffic to/from them.

Guess I will have to roll my own proxy to protect myself.

What difference does it make? (0)

Anonymous Coward | more than 6 years ago | (#20076539)

So long as they convict someone, they don't care.

Zombie or not, one specimen WILL be found. (4, Interesting)

arth1 (260657) | more than 6 years ago | (#20076963)

Another worry is if someone finds it, how good precautions are there that it's immune to subversion, in multiple ways:
  • Sending false data to the feds. With my knowledge of the bureau, I doubt they would ever question the data they receive. (The healthy paranoid people who might ask questions either get fired, or end up in different government branches).
  • Using the app or information in it to launch an attack to the fed's own clandestine systems. This could include modifying the data sent to try to trigger a buffer over/underflow, or simply brute force DoS the target destination through a botnet.
  • If it contains backdoor functionality, replace it with a honeypot and gain access to passwords and client info of the feds trying to access it.
  • Modifying the app too send data not to the feds but to somewhere else. This would be the holy grail of trojans, as it's likely that most AV software have specific exceptions for ignoring software from the government.

How to identify? (2, Interesting)

redshirt1111 (990928) | more than 6 years ago | (#20074299)

I did read the article, but did not see anything about identification. Other than ensuring there is no spyware running on your machine, anyone have an idea how to detect this particular program?

Re:How to identify? (2, Interesting)

Opportunist (166417) | more than 6 years ago | (#20074585)

Well, there are some ways. Some of them used by trojans, some used by AV kits, some by both.

You can go ahead and force every program you run to load a DLL of yours, which hooks the relevant calls and alerts you should an application that's not supposed to tries to access things it has no business in. At least that's how I did it.

It does slow the system down considerably, though, so you might want to use it on a separate machine (real or VM) that you use to do your internet stuff.

Re:How to identify? (0)

Anonymous Coward | more than 6 years ago | (#20075719)

I did read the article

You must ne new here. OH WAIT.... I must be new here. I mean,

eye muss bee knew hear!

Damn, it's hard to get the hang of this slashdot thing...

address is 192.168.0.100 (3, Funny)

maxwells_deamon (221474) | more than 6 years ago | (#20074315)

Just look for the guy with that address!

It most do a trace route/phone home or somthing to actually get a useful address

Yes... millions of taxpayer dollars have been... (2, Funny)

DaedalusLogic (449896) | more than 6 years ago | (#20075081)

Spent on a sophisticated solution for detecting your IP address, and the FBI has integrated THIS [ipchicken.com] into CIPAV.

Re:address is 192.168.0.100 (4, Funny)

ArcherB (796902) | more than 6 years ago | (#20075991)

Just look for the guy with that address!

It most do a trace route/phone home or somthing to actually get a useful address


As opposed to the guy at 127.0.0.1! I hacked into his machine once, but that bastard had some sort of active defense daemon running that wiped my drive at the same time I was trying to wipe his!

Fortunately, I was able to see the porno pics of his wife before I was hit. Man! That bitch was FUGLY!

The real threat of "government spyware" (5, Interesting)

Opportunist (166417) | more than 6 years ago | (#20074347)

The core problem is, surprisingly, its correlation with antivirus tools.

Either the feds don't give AV vendors a heads-up when they plan to use a trojan, i.e. they risk being found. Now, this would double as the "hey stoopid, the feds are onto you" warning.

So it's likely they do require AV vendors to avoid finding them. This, in turn, would mean, though, that all a potential virus writer has to do is to get his program to match the fed trojan in behaviour and shape, possibly in signature.

I needn't write more, I guess? Why bother coming up with a rootkit if there are governmental-assisted ways to create undetectable malware?

Re:The real threat of "government spyware" (1, Interesting)

Anonymous Coward | more than 6 years ago | (#20074451)

match the fed trojan in behaviour and shape, possibly in signature.

That's difficult considering that all cia and fed software are signed with a public crypto key that is hidden deep in windows, and used to verify that the binary is indeed a signed goverment trojan.

The same method is used to send windows trojans to foreign military windows computers as well - that's why many european states does not trust windows to run their battleships or other critical military systems. I was assigned to disassembling the windows core logic when I did my mil svc.

Re:The real threat of "government spyware" (1)

Opportunist (166417) | more than 6 years ago | (#20074689)

Dunno if that plays a role for Vista, but XP doesn't care too much about what's signed how, anything may be and actually is checked by pretty much every AV kit I know.

Besides, that only serves as a better way to detect it. I give it 2 days 'til the first detector circulates that looks for exactly THIS crypto key signature.

Re:The real threat of "government spyware" (1)

Jah-Wren Ryel (80510) | more than 6 years ago | (#20074733)

Baloney. You are referring to the NSAKEY [wikipedia.org] and it is not about executable signing, because until Vista+TPM there was no mechanism for executable signing and authentication in MS Windows.

Re:The real threat of "government spyware" (2, Informative)

plague3106 (71849) | more than 6 years ago | (#20075629)

Um, you've been able to sign executable in windows since at least Windows 2000. Its call Authenticode, and XP does read it. Vista takes it a step further by warning you if you run an unsigned application.

Re:The real threat of "government spyware" (2, Funny)

robogun (466062) | more than 6 years ago | (#20074587)

The AV could just take the middle ground with a generic description like "Suspicious Program: E-card Viewer", it is unlikely it will display as "W.32CIPAV j00 R SO FEDERALLY PWNED"

Re:The real threat of "government spyware" (1)

Opportunist (166417) | more than 6 years ago | (#20074655)

How long do you think 'til you can get a "Warning: Trojan.Crypt.Whatever is a CIA/FBI trojan!" from various mailing lists and boards?

Re:The real threat of "government spyware" (3, Insightful)

mr_mischief (456295) | more than 6 years ago | (#20074953)

By the time you've detected it, it's probably already reported everything. IP, MAC, IP address and HTTP request of last packet to ports 80 (or possibly 443 if it gets its information before the SSL encryption), etc. is not difficult nor time consuming to figure out.

Re:The real threat of "government spyware" (1)

Opportunist (166417) | more than 6 years ago | (#20075121)

Still, usually plenty of time to get rid of everything on the computer that might incriminate you.

Re:The real threat of "government spyware" (1, Funny)

Anonymous Coward | more than 6 years ago | (#20075809)

If they managed a remote install there will be a prompt on my screen about permitting an unknown application to connect to the internet.

Re:The real threat of "government spyware" (2, Funny)

orclevegam (940336) | more than 6 years ago | (#20074727)

it is unlikely it will display as "W.32CIPAV j00 R SO FEDERALLY PWNED"

No, but that would be awsome. Maybe some of the open source antivirus kits out there (I know there's at least one) should use that as the name if they ever manage to get a signature of CIPAV.

Re:The real threat of "government spyware" (1)

griffjon (14945) | more than 6 years ago | (#20074751)

What about heuristics engines? Will they get a huge "unless" clause tagged on to them?

What about people with strong firewalls which monitor outbound traffic?

I have a hard time believing the USGov is competent enough to do this well.

Re:The real threat of "government spyware" (1)

Opportunist (166417) | more than 6 years ago | (#20075157)

As soon as they catch anything but teenagers with it, I will start thinking about it. Until then, I say they have no better tools available than the average trojan writer. Probably they are less free in their choice of tools, rather.

Re:The real threat of "government spyware" (0)

Anonymous Coward | more than 6 years ago | (#20074873)

No, that's still having a finger pointed at it.

Chances are, they would just make the thing dang hard to find, and at most, tell any av company that did find it the stay hush-hush. They would also probably grab the heuristics info for heuristics searches to make the program hard to find via those. And if a heuristics program did find it by chance, it wouldn't know that the program is a government program, so it wouldn't be as big of a threat as having a modules in the AV code to 'ignore' the program

Re:The real threat of "government spyware" (1)

Geoffreyerffoeg (729040) | more than 6 years ago | (#20075185)

This, in turn, would mean, though, that all a potential virus writer has to do is to get his program to match the fed trojan in behaviour and shape, possibly in signature.

Er, what if AV programs are configured to ignore programs that connect to (and only connect to) cipav.fbi.gov or somesuch? :-)

Re:The real threat of "government spyware" (1)

herve_masson (104332) | more than 6 years ago | (#20075465)

So it's likely they do require AV vendors to avoid finding them

What makes you believe that the feds are powerful enough to influence all AV vendors, including the few big ones located in europe ? I have hard time to buy that, but it also means that either the feds are clever enough to remain undetected, or the AV are dumb enough to miss them for a very long time. Strange indeed...

I read the article (1, Insightful)

Anonymous Coward | more than 6 years ago | (#20074379)

And all I saw was a whole bunch of "Don't know"s and speculation.

Re:I read the article (1)

davidsyes (765062) | more than 6 years ago | (#20075491)

Well, in the vein of "speculation"...

Then, is this how they brought down mob bosses a few years ago? What is so special about this today than a few years ago?

Or did they simply use RF/EM surveillance against the keystrokes of that enforcer/boss?

I've been wondering if a port sniffer/protocol analyzer/keystroke counter were sneaked in via a maintenance person, or flown in by one of those DARPA critters...

OTOH, depending on the building layout, maybe an "occupant" flushed a stringed bug that deployed lodging arms or self-welded into a pipe at the right spot in the plumbing layout and then went to work...

Just loose speculations...

And if this was posted by kdawson... (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#20074427)

the title would be "How Bush is personally spreading spyware to rape your computer"

Do they still get spam? (2, Interesting)

192939495969798999 (58312) | more than 6 years ago | (#20074469)

If they have this amazing tool for tracking people down, do they still get spam at HQ? If so, why not use this to catch the spammers and make them stop? Is it because they're all beyond jurisdiction now?

Re:Do they still get spam? (3, Funny)

It doesn't come easy (695416) | more than 6 years ago | (#20076383)

In the grand scheme of things, spam doesn't rate very high when compared to a bomb threat. Resource limitations dictate that the FBI concentrate on music downloading, bomb threats, and spam, in that order ;)...

So, if you're a criminal.... (2, Insightful)

iknownuttin (1099999) | more than 6 years ago | (#20074471)

MySpace accounts can't receive traditional e-mail, so one hacker standard -- attach the CIPAV to a message and hope the recipient is stupid enough to launch it -- wasn't available. Instead, the most likely tactic would have been to send a URL to the suspect account using MySpace's own instant messaging and/or Web mail system. If the suspect clicked on the link -- it would have had to be enticing, so use your imagination here -- and visited the FBI-owned malicious site, an exploit for a zero-day vulnerability (or unpatched one on the suspect's PC) would have let the government download CIPAV to the target hard drive.

Don't click on any links sent to you and don't visit any sites sponsored by the FBI.

I guess if the FBI is targeting you and they know that you like kiddie porn, they would set up a kiddie porn site to get a trojan on your machine.

Re:So, if you're a criminal.... (0)

Anonymous Coward | more than 6 years ago | (#20074735)

regardless of its intent, something seems wrong with the FBI *setting up* kiddie porn sites.

Re:So, if you're a criminal.... (1)

Opportunist (166417) | more than 6 years ago | (#20074755)

Well, then I guess they wouldn't really need to install a trojan in your box anymore, would they? They already proved that you tried to access material that's not suitable for you.

Re:So, if you're a criminal.... (1)

Applekid (993327) | more than 6 years ago | (#20074899)

The idea wouldn't be to stop just the perp but to enbolden them. See who they refer, follow the path of files downloaded as they are redistributed by interested parties. Corrolate time spent hunting for that stuff with time they are on their home computer with the lights off and the curtains closed. Package together a completely undeniable case against them. And if they don't distribute or become brave enough to upload their stash (for the sake of image-hash generating algorithms to quickly let software find kiddie porn), they still pretty much got them anyway. It's a win-win.

And with any luck they might actually catch a real pedophile instead of some poor shlub that had a virus planted on his machine to explicitly go to those sites without his knowledge for the intentional purpose of getting them busted by the feds. But that's never really been a concern, of course, since that would be bad for the numbers that show the program works.

Re:So, if you're a criminal.... (1)

dmpyron (1069290) | more than 6 years ago | (#20076297)

Alternatively, you make the President's enemies list (any President, now or future). So they install a trojan from any source URI, doesn't have to be anything nastier than a new site to send free e-cards from. Next thing you know, the Feebs are kicking down your door and finding all the kiddie porn "you" downloaded, along with all the traces of kiddie porn "you" uploaded to your friends, all of whom also get busted. Not that I'm paranoid or anything, although I haven't taken my meds in a few days.

60 days after the software had been "activated" (0)

Anonymous Coward | more than 6 years ago | (#20074497)

Lets stick it to the man by writing an activation crack!!!

Although that probably won't get us past the FBI update site.

I guess we will have to slipstream until they crack the Hoover Genuine Advantage program.

But how do they install it?!?! (5, Interesting)

Daneboy (315359) | more than 6 years ago | (#20074503)

How, exactly, do the Men In Black install this uber-spyware on a target system?

Do they get a warrant, sneak into your home in the dead of night, and install software on your computer?

Do they mail it to you as a virus, perhaps cleverly disguised as a Nigerian spam scam?

Do they use the back door that Microsoft agreed to put in all their software in return for being granted Most-Favored Monopoly status by the government?

Or something else? "You are a suspected pedophile. To clear your name, please click here to install the FBI's internet spyware on your computer"?

Anyone know?

Re:But how do they install it?!?! (3, Interesting)

Opportunist (166417) | more than 6 years ago | (#20074811)

Maybe it's just a variant of the way MPack infects. Slipping code into inconspicuous pages, redirecting you to an iframe containing an exploit, suitable for your browser, and presto.

Re:But how do they install it?!?! (2, Funny)

Anonymous Coward | more than 6 years ago | (#20074871)

Do they get a warrant, sneak into your home in the dead of night, and install software on your computer?

Yes.

Re:But how do they install it?!?! (2, Informative)

mogasm (818130) | more than 6 years ago | (#20075889)

They have gotten court orders in the past to break into the house for the purpose of installing the spyware

Re:But how do they install it?!?! (2, Funny)

BlueParrot (965239) | more than 6 years ago | (#20076543)

Do they get a warrant, sneak into your home in the dead of night, and install software on your computer?
You still think they would need a warrant to do so? It is more like:
try{
getTarget().addUncostitutionalSpyware();
}
catch (SomebodyFoundOutException e){
getTarget().accuse( new Excuse( Excuse.paedophile , Excuse.terrorist ));
}
finally{
profit();
}

Score one for Mac users.. (0)

Anonymous Coward | more than 6 years ago | (#20074527)

This will be the first time we're glad to hear "Sorry our software doesn't run on MAC's"
haha

Re:Score one for Mac users.. (1)

Xtravar (725372) | more than 6 years ago | (#20075605)

I think it's safe to say that the Apple demographics don't include people the government wants to go after, aside from maybe fancy pants drug traffickers who the government skims profits from anyway.

The poor have always been the targets of the government, for whatever socio-political reasons there may be. Everyone knows that rich people rarely get convicted of crimes, as they are least suspect and can afford good lawyers. Poor people are more likely to use PCs, which means "criminals" are more likely to use PCs. Conversely, Macs are status symbols.

Possession of small amounts of marijuana was a major offense when poor minorities were the only ones caught with it. Then, white suburban kids started to be caught and the penalties were decreased. The government works for the wealthy to suppress the poor because it's the only way to sustain the inequities of capitalism.

Just playin' devil's tinfoil Marxist advocate! Take with a grain of salt. Have a nice day!

Better question (3, Interesting)

grasshoppa (657393) | more than 6 years ago | (#20074595)

What happens to the first person to get a hold of this software and fully analyze it?

5 bucks says they get a visit from big men in serious black suits and then are never seen again.

Re:Better question (3, Insightful)

Mattintosh (758112) | more than 6 years ago | (#20074773)

That depends on whether they're in the USA or not. If you're in the USA, enjoy your stay at the Gitmo Hilton. If you're not, well, you might not be bothered at all, but don't fly to the USA. Ever.

Re:Better question (2, Insightful)

gstoddart (321705) | more than 6 years ago | (#20075885)

That depends on whether they're in the USA or not. If you're in the USA, enjoy your stay at the Gitmo Hilton. If you're not, well, you might not be bothered at all, but don't fly to the USA.

Yeah, because the US government has never grabbed someone who is on foreign soil and whisked them away in an airplane late at night when nobody was looking. (No, really [usatoday.com] .)

If they want you bad enough, they will send someone to retrieve you. Domestic and international laws be damned. Now, they won't do it for sending spam, but if you seem like a potentially serious enough threat, they will.

Cheers

typical hysterical twit (1)

circletimessquare (444983) | more than 6 years ago | (#20075961)

"If you're in the USA, enjoy your stay at the Gitmo Hilton. If you're not, well, you might not be bothered at all"

what is this, humor? does anyone actually believe this represents a fair depiction of how dissent, spying, and enemies of the state are handled by the usa, and *laugh* other governments in the world?

the usa has plenty of problems, don't get me wrong. but if you analyze any other country and the way they handle spying and rights, guess what? the usa doesn't look so bad

does this excuse the usa? no

but what it does mean is that those who use the "you're going to gitmo" angle when criticizing the usa's spy actions just sound ignorant

go ahead and criticize the usa, be my guest. but please try to sound vaguely educated on the subject matter of world governments, rights of citizens, and government abuses and where the usa stands in that spectrum

you don't bring a critical eye on the usa and its bad behavior, which is what the usa deserves. no, instead you just make those who oppose the usa's spy efforts sound like retards

Re:typical hysterical twit (1)

conspirator57 (1123519) | more than 6 years ago | (#20076849)

"but what it does mean is that those who use the "you're going to gitmo" angle when criticizing the usa's spy actions just sound ignorant

go ahead and criticize the usa, be my guest. but please try to sound vaguely educated on the subject matter of world governments, rights of citizens, and government abuses and where the usa stands in that spectrum"

Once they violate the various Constitutional protections we had (I mean have; yeah that's it) for one reason, they have precedent to expand their reasons for doing so. It is intolerable to allow the government to break these rules for any citizen for any reason. If you allow it to occur at all, then eventually the government will break any rule for any reason at all. Oh, wait, by my count more provisions of the Constitution are ignored now than at any prior point in our history.

When Lincoln suspended Habeas Corpus during the Civil War (a time when, unlike now, there was a legitimate threat to the continued existence of the US), his actions were questioned as unconstitutional. How's that for vaguely educated?

Re:typical hysterical twit (1)

janrinok (846318) | more than 6 years ago | (#20077011)

I think that he still made a valid point. Whether other countries are any better is debatable, but the USA has crossed several boundaries by holding people in Gitmo without due legal process of any kind. There is no justification for it at all. I do not think that the FBI are quite there yet but, from the outside, there doesn't seem to be much that will stop them if that is what they want to do. But the FBI are breaking the law - it is illegal to put software on someone else's computer without their permission - its just that you think that because they are the FBI then it should be OK. Is this done with a warrant? How do you know? Have the FBI ever exceeded their permitted boundaries? (Yes - only a few weeks ago there was a /. post about them having to apologise for other abuses). Has the USA ever detained people in transit through the USA? (Yes). So the GP was stating pretty accurately how the US actions are viewed, rightly or wrongly, by many around the world. Of course you will want to defend the US, but your response didn't convince me that that view is wrong. It simply looked as though it is true but you were a bit pissed about it.

Is this really a reliable tool for the FBI? (4, Interesting)

Vokkyt (739289) | more than 6 years ago | (#20074609)

There are many programs out there, such as LittleSnitch for Mac, which are rather adamant about making sure you know everything that is phoning home on your computer. Does the CIPAV have a method of circumventing these road blocks or would the FBI be stumped by the same software that is intended to keep computers safe from malicious software? While I could certainly understand them working with larger developers like Symantec and Microsoft to ensure that their anti-spyware and virus protection software dutifully ignores a product like CIPAV, what about machines running protection applications from smaller developers, or even open source protection, like the ClamAV project?

Better yet, if programs like CIPAV become more common as a tool for Federal Investigations, does it become a requirement that said programs allow CIPAV and its successors to do their work?

Re:Is this really a reliable tool for the FBI? (1)

BSAtHome (455370) | more than 6 years ago | (#20074929)

Better yet, if programs like CIPAV become more common as a tool for Federal Investigations, does it become a requirement that said programs allow CIPAV and its successors to do their work?
That would mean mandatory selfincrimination? Don't think that will fly. However, considering the US direction of depleting its freedom resources, who knows.

Re:Is this really a reliable tool for the FBI? (0)

Anonymous Coward | more than 6 years ago | (#20075535)

Does the CIPAV have a method of circumventing these road blocks or would the FBI be stumped by the same software that is intended to keep computers safe from malicious software?
Something tells me they've thought of that...

One way would be to install an extension to the browser, which could easily open an outbound port 80 request and send the data to some web server.

This could happen whenever the user accesses any web page, for example. Many existing web pages have links to content such as images that are located at different URL's - by piggy-backing a method "GET" on a normal web page access, the spyware could easily "phone home" without being detected.

Such a method is nearly transparent and would be silently allowed by the firewall (unless the firewall is blocking all http access, which is highly unlikely)

Once the o/s is compromised by the trojan, it would be trivial to install a browser extension/plugin to behave similarly to what I've described.

Of course hooking into the TCP/IP stack directly can also be done, but this would be much more difficult to update without taking down the net system or forcing a reboot...

Re:Is this really a reliable tool for the FBI? (1)

Vokkyt (739289) | more than 6 years ago | (#20075695)

Yeah, but now we're installing two things via Malware; a browser extension and the CIPAV program. That's two things to sneak in, hide, and have run undetected by the computer, and also an assumption that the CIPAV is compatible with the browser used. On top of that, there is still an IP trail in router logs if data is being sent to an unknown location that you never accessed. After that, it's pretty easy to close up access, should the paranoid and disillusioned be watching their router logs carefully.

Also, While I do understand what you're saying the the method GET, but that's still an outgoing connection that wasn't initiated by the user. (The web access action was, but the CIPAV extension wasn't) Wouldn't the guardian program still pick that up as suspicious activity?

Re:Is this really a reliable tool for the FBI? (2, Interesting)

Vokkyt (739289) | more than 6 years ago | (#20075761)

Also (sorry to double post, but this just came to mind), what happens if it is blockable. Does using the software to prevent CIPAV from calling home constitute a felony for disrupting a Federal investigation? Or, what happens in the case of a rebuild? Is that also considered to be messing with a Federal Investigation if the target is unaware that they are being monitored?

Re:Is this really a reliable tool for the FBI? (0)

Anonymous Coward | more than 6 years ago | (#20077019)

My guess would be that the cipav methods for calling home were probably designed with avoiding notice by such programs.

Since the details of cipav are a "law enforcement sensitive secret" we can't say if it works like a rootkit, if its interactions with windows internals were created with cooperation from MS, or even what its capabilities are. At a guess though the information sent back to HQ is fairly small in byte count, this gives them a large number of options for phoning home. At a guess I'd say they encode and then encrypt the info and then piggyback it on normal network protocols.

I wouldn't mind running this (1)

Larry Lightbulb (781175) | more than 6 years ago | (#20074619)

Well, if they took out the phone home aspect - other than that it seems to be a fairly useful monitoring tool.

What if Crackers modify it for themselves? (3, Interesting)

denis-The-menace (471988) | more than 6 years ago | (#20074771)

If AV companies do let the FBI version go through unchecked,
what if the virus and worm writers of today get a hold of this and modify it for their own purposes?

A lot of effort for 90 days detention. (3, Insightful)

AltGrendel (175092) | more than 6 years ago | (#20074851)

...Monday, June 18. On July 15, after he pleaded guilty in juvenile court to charges of identity theft and making bomb threats, the teen was sentenced to 90 days' detention.

They spent a log of money on that. Sounds to me like it was actually a "test run" to make sure things work as expected. And now that they know it will work...

Re:A lot of effort for 90 days detention. (0)

Anonymous Coward | more than 6 years ago | (#20076957)

...Monday, June 18. On July 15, after he pleaded guilty in juvenile court to charges of identity theft and making bomb threats, the teen was sentenced to 90 days' detention.

And you said ...

They spent a log of money on that. Sounds to me like it was actually a "test run" to make sure things work as expected. And now that they know it will work...

And I say ...

If this was a test run, they would have plea-bargained him off and kept the snitchware info secret.

Hey, this is no fair. (3, Funny)

Caspian (99221) | more than 6 years ago | (#20074877)

I demand a Mac OS X port! And a Linux port! The FBI is being unfair! ;)

Re:Hey, this is no fair. (1)

Anonymous Coward | more than 6 years ago | (#20075257)

Since OS X is closed source, you could (and probably already do) have a copy of it already installed on your computer. You'll never know or be able to find out.

Is it copy-protected? (1)

Sloppy (14984) | more than 6 years ago | (#20074925)

Wow, people are worried about it spreading itself to other computers, deliberately or accidentally. It seems like the FBI has a bigger problem here: they're giving a spying tool to exactly the kind of people who, in the FBI's opinion, are less trustworthy than the average citizen. They give it to them, in the hopes that the suspected criminal will install it on their own machine instead of someone else's.

Think about this series of events: FBI looks into a kiddie porn / pedophile ring, and tries to trick the suspects into installing this spyware. The pedophiles think, "Oh wow, what do we have here?" and forwards the spyware to the kids. Now the pedophiles are logging the kids' keystrokes (or whatever the hell this software does) and learning what websites the kids visit, so as to make easier contact. Thanks, government.

You shouldn't lose sight of the fact that trojans aren't like other surveillance tools, where the spy does something "to" the spied-upon. With trojans, you have to give the weapon to the person you intend to use it against, and hope that they use it correctly. The Greeks must have been very relieved that the Trojans didn't accept their gift with the words, "Thanks for the bonfire wood; we're gonna have a hell of a party tonight!"

Obviously, the solution to this is for the FBI to print a special hard-to-photocopy manual that goes with CIPAV, and distribute the manual to the suspects. When the suspect boots their computer, display a prompt, "In order to have your network packets directed to fbi.gov, please enter the third word from the fifth line on page 28." Then keep tabs on making sure the suspects don't somehow find a way to copy the manuals and hand them out to their victims. ;-)

Re:Is it copy-protected? (0)

Anonymous Coward | more than 6 years ago | (#20075555)

You bring up a potentially valid concern, but you present an absolutely ridiculous scenario:

Think about this series of events: FBI looks into a kiddie porn / pedophile ring, and tries to trick the suspects into installing this spyware. The pedophiles think, "Oh wow, what do we have here?" and forwards the spyware to the kids. Now the pedophiles are logging the kids' keystrokes (or whatever the hell this software does) and learning what websites the kids visit, so as to make easier contact. Thanks, government.

Yes, the scary web monsters will log the kid's keystrokes, and once they find out that the target child visits Disney.com they will have that child in their evil clutches in no time! Muwhahahaha! Why scope for a potential victim in their own town when they can gather information and web-habits about a child half a world away?

Sounds like you've been absorbing a bit too much American (western?) media. Despite what you may hear, sexual predators on the internet are not the greatest current threat to civilization.

Re:Is it copy-protected? (1)

Sloppy (14984) | more than 6 years ago | (#20075701)

Sounds like you've been absorbing a bit too much American (western?) media.
Well, no, just trying to push popular buttons. Won't somebody think of the children?

Re:Is it copy-protected? (1)

dmpyron (1069290) | more than 6 years ago | (#20076471)

Never mind kiddie porn (a specious example, at best). The Feebs are also tasked with domestic spying and enforcement of Federal laws. So they install a copy on Abdullah's machine. Or Vladamir's. Or Vitorio's. But it gets caught (they're all smart enough to run a spyware checker from a non US vendor). Now they have "the perfect tool". Sooner or later this is going to happen.

Moral to this story? (2, Insightful)

JimDaGeek (983925) | more than 6 years ago | (#20074987)

Don't use a MS Windows based OS if you want to do stupid stuff. Odds are that these type of government programs are only targeting the large user base of MS Windows. Use Linux, *BSD or Mac OS X and flip the government the birdie! ;-)

Re:Moral to this story? (1)

JimDaGeek (983925) | more than 6 years ago | (#20075025)

Sorry to reply to myself. I forgot the last line:

Use Linux, *BSD or Mac OS X and flip the government the birdie! Or don't do stupid stuff


Oh, I just had another idea. Does anyone know of a list of most of these government sites? Why not just block them at the firewall level? Or for n00bs use something like PeerGuardian.

Some More Speculation on Installation Methods (5, Interesting)

Dreamland (212064) | more than 6 years ago | (#20075141)

Some more speculation on installation methods of CIPAV can be found here:

http://blog.misec.net/2007/07/31/3/ [misec.net]

Specifically, it looks like the FBI may have several ready-made exploits, each targeting a different OS/web browser combination. An interesting question, then, is what they would do if they encountered a system that is fully patched and running a more secure browser such as Firefox. Does the FBI have access to their own zero-day exploits that they can whip out to install this trojan? If so, is it possible they have their own team of hackers set out to find such exploits?

Re:Some More Speculation on Installation Methods (0)

Anonymous Coward | more than 6 years ago | (#20075601)

Or better yet, what if you are booting from one of those "Live CD" versions of Linux, sending your threats and then booting back to normal for other everyday use, or even using a virtual machine to do this (imagine one modified to report a random MAC each time on top of that) and just throwing out the image and using a backup each time?

This will catch the stupid, but not the seriously criminal or paranoid.

Re:Some More Speculation on Installation Methods (0)

Anonymous Coward | more than 6 years ago | (#20075641)

It seems you assume that all operating systems are designed in such a way that breakin is only possible "exploiting" a "vulnerability" that has not been "patched".
But what if operating systems in wide use simply contain a backdoor for installation of such software?

Re:Some More Speculation on Installation Methods (0)

Anonymous Coward | more than 6 years ago | (#20076595)

Of course the Feeble Eye employ hackers... Every Gov't agency does! Most larger law enforcement agencies do as well. In fact the NSA employs mostly hackers or cryptography experts. Get with the times. Zero day exploits, malware, viruses, trojans, rootkits, you name it, the feds got some of their own. Even the Canadian law enforcement agencies have teams of hackers and social engineers working for them. In fact the RCMP (Canadian) was the first entity in the world to create computer forensic tools for court purposes and were used exclusively by the FBI until EnCase and FTK came around. I know most people think that law enforcement is behind the curve with tech but they were developing rootkits before most people wrote their first hello world Bash script.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...