Enhanced Carnivore To Crack Encryption Via Virus

suqur writes: "MSNBC has a story about a new Carnivore feature, dubbed 'Magic Lantern,' which arrives on a victim's computer in the form of a virus through email or well-known vulnerabilities. Magic Lantern uses keylogging to extract keys typed in, and sends them off to the FBI. This is similar to a story reported on previously, but taken one step further, allowing computers to be compromised remotely."

Legal?

Does this mean it will now be illegal to use a secure system? Having any type of security/virus protection will be circumvention of law-enforcing software.

And what happens if this "happens" to get installed on a foreign government's computer? Can we say "espionage"?

Re:Legal?

More importantly, will it be illegal for Symantec to modify Norton Anti-Virus to block it?

IF they do eventually make it illegal to block the virus then 'terrorist virus writers' can be guaranteed a hole in every system.

And it is not far-fetched that they would make it illegal to block it. For instance, it is illegal to wear a bullet-proof vest if you are in a situation where the police want to shoot you.

--jeff

Re:Legal?

Additionally what happends to ISPs and SysAdmin who automaticly filter e-mail viruses.
Could someone go to jail simply for NOT running an e-mail virus?
Could Microsoft, RedHat, Apple or Sun get in trubble for fixing a defect?
Could the government ask Microsoft to install a back door then on descovery when Symantic patches Windows to CLOSE the back door or if BugTrap discovers it and a third party patches it.. Would the government sue for discovery or patch?

And Linux hacks have been known to exist that (for security reasons) pretend to be known Windows back doors to employ known defects in script kiddy toolkits.
The defects themselfs could be easy to discover just in the way the backdoor works.. "Ahh here the script kiddy has a file reception system were I can send ANY file I want... any size.. oh and a typical redundency compression system.... Let's see compression code.. repeate "0" for 16 gig.. ok thats 6 bytes than expand into 16 gig.. He's dead.."

On the inverse...
"In todays news known terrorist Al Be Dumbby was set free on a legal technicallity.
The terrorist group 'born stupid' is now counter suing for infecting Al Be Dumbbys computer...
Many suggest this lawsute is an act of intelegence and disproves the groups contention that the terrorists have an inherent right to be stupid.
Others point out had Al Be Dumbby not clicked on the virus or used Windows to start with this wouldn't be an issue"

Re:Legal?

I don't think it'll be illegal to use a secure system due to this, but I *do* think they're really asking for trouble if this thing "flies".

WARNING: The remainder of this post may in fact be advocating "terrorism" under the new definitions put forth by the U.S. gov with respect to "computer crimes". Why am I logged in? Because, quite simply, they can kiss my A$$.

Do you really think tens thousands of server admins would let this go without retribution? I for one sure as hell wouldn't. Invasion of my servers is, in my book, precisely the same as invading my home (maybe even worse). Okay, so how do we fix their little red wagon?

Go HoneyPot on their asses. Set up a bunch up of machines all over the place to get compromised, and have firewall software monitoring the destination of the nasty outgoing packets. From there, use a P2P model to distribute the destinations of such data, and D-E-N-Y the living hell out of their servers. For added flair, you could always include repetitious, highly profane strings in your denial actions (use your imagination).

I would especially advocate this concept for all technies living in various foreign nations whose citizens might get "bugged" by the our wonderful boys in blue. Yes, I am openly advocating retaliatory strikes against this sort of disgusting behavior.

And I think it's damned well warranted. :(

Web hosting by geeks, for geeks. Now starting at $4/month (USD)! [trilucid.com]
Yes, this is my protest to the sig char limit :).

AV software.

What are the odds that antivirus software could be updated to find this virus? It obviously couldn't be cross-platform either. And if the gov't somehow manages to pressure a/v companies into not including it in virus defs, what would happen if some malicious kiddie got hold of the code, and unleashed a much more destructive version, knowing full well that most machines were not protected? Who would be liable in that case?

Re:AV software.

I doubt it would happen that way. Chances are, the "virus" wouldn't be self-replicating, at least the government's version wouldn't. If it were, there'd be no effective way to control it. So, if the only people who are sent this thing are people the feds want to bug, the AV companies most likely wouldn't see it.

However, all this goes out the window if someone gets hold of this thing somehow and modifies it. They could do several things. First, they could attempt to decompile it and then post the source for all to see. If they wanted to get more, um, creative, they could modify it so it becomes a truly self-replicating virus. Not only would this turn the thing loose on the Net at large, it'd also have the possible effect of taking out whatever computer the original virus was supposed to "phone home" to. How long could a machine set up to handle data from several thousand of these things last when it's getting bombarded with data from a few million? Finally, there's the possibility that it could be modified to seek out and attack computers owned by the government. Once it got in, it would sit there and spy on whoever was using that machine. Results could be sent anywhere. Protecting all those government computers would be a massive undertaking. Even if the feds had custom software to do it, distributing it in any meaningful way to locations around the country would almost guarantee that it'd leak out within a few days. But the truth is that federal computers are running the same software that everyone else is, and the people using them can be just as easily deceived as the average home user. All it'll take is for one programmer with talent, a chip on his shoulder, a good deal of free time, and access to the right tools to decide to fight code with code. If he gets hold of the feds' virus, he could use that. If not, well, he'd most likely roll his own.

This is a superbly stupid idea the feds are pursuing. If they write crappy code, only the truly moronic will allow this to get installed. If they write a really sophisticated piece of software, they could very well end up creating a monster that will turn around and bite them in the ass.

In other news...

In other news today, the FBI was arrested en masse for violating numerous newly legislated anti-terrorist laws prohibiting compromising remote computers...

well i guess this is a continuation

of the case against Microsoft by disgruntled federal employees.

Mail-virus attachments are best contracted via Outlook or web mail clients; anybody with advanced security will not have a problem here.

Unless the government starts persecuting people on Linux and *BSD systems, because they are inimical to the FBI's spying methods.

Foucault's Panopticon, here we come..

This only works if....

a) The FBI kicks in your door and installs Outlook

b) You always open email with the subject "Snow White and the 7 FBI Agents"

c) You run the attachment called "FBILOVESYOU.VBS" (and you run Windows, Outlook, etc)

Blah, dumb communist FBI

Encryption program name

It watches for a suspect to start a popular encryption program called Pretty Good Privacy. It then logs the passphrase used to start the program, essentially given agents access to keys needed to decrypt files.

If this is true, then it would seem all you need to do to foil this latest slightly-hare-brained-scheme would be to rename pgp to something else, such as goawayfbi.

Re:Encryption program name

Better yet, rename it 'Quake', so you'll get better 3D acceleration for your PGP.

Don't rename it Quake!

After it's renamed and loaded with the ATI drivers, PGP will encrypt things twice as fast, but side-by-side inspection will reveal it's algorithm to have switched to XOR.

Way to go, FBI!

Thanks to the FBI, a whole new market is now being pushed into exploring the world of alternative operating systems.

Talk about a boon to the Open Source movement! Show the people (not just the bad guys) that Microsoft's numerous vulnerabilities can be used by Big Brother to monitor them. I can't think of a better way to boost Linux distro sales.

DCMA violation?

The first thing that comes to mind is a flagrant violation of the DCMA.
How does the government expect to work around this one? There are so many things that can go wrong...

1. Probably OS-dependent. Remember: virii for one platform (i.e., Win) will probably not work for others. That was not hard to get around

2. Human link involved. This virus will presumably be propagated via email, or some other form of trojan. Those who tend to use encryption tend to block this type of thing from happening to their machine anyway. Yet another reason not to open email/attachments from an addresser named "CIA" :P. That was easy to get around.

3. Network link involved. Those who use encryption are usually savvy enough to detect extra packets flying from their machine to some unknown address, which would easily be identified in a reverse-lookup.

My goodness, they are getting desperate, aren't they.

Re:Short Answer: Yes

Even easier: use an encryption program that their virus doesn't know how to sniff yet. Their virus doesn't sniff all keystrokes (yet), just for specific encyrption programs. You don't even necessary need to change encryption schemes, just use a different front-end for typing in your password.

Virus Email

The virus can be sent to the suspect via e-mail -- perhaps sent for the FBI by a trusted friend or relative. The FBI can also use common vulnerabilities to break into a suspect's computer and insert Magic Lantern, the source said.

Email Template:

From: Bill@Slashdot.org
To: Fred@Slashdot.org

Subject: Magic Lantern.doc.pif

Hi! How are you?

I send you this file in order to have your advice.

See you later. Thanks

You have got to be kidding.

I'm sure that this is (-1, Redundant) by now, but...

Are there any cases involving damage done to personal property in eavesdropping operations? That is, legal taps? Any lawyers here? I gotta imagine that this would be a very very dangerous thing for the government to get into. Not only could it cause damage to personal property, but if the suspect is smart enough to encrypt their stuff, they're going to be smart enough to know when they've been h4x0red by an email virus.

This story makes a lot more sense if you remove every reference to "our sources" and replace it with "my little brother."

"The FBI is developing software capable of inserting a computer virus onto a suspect's machine and obtaining encryption keys, my little brother told MSNBC.com."

I believe *that*.

Re:Encryption Security

> Extra bonus points if the entire operating system and software suite on the encryption machine lives on read only media, such as a CD-Rom.

Remember Ken Thompson's hack! You only get the bonus points if you compiled the OS (and CD-ROM burning software) from source on a compiler you wrote yourself ;-)

I've got no problem with this...

...as long as it requires a warrant before it can be used.

Of course, anyone who would be vulnerabe to this is either a moron or doesn't feel that they have anything to hide, so it seems kind of pointless.

Of course, the truely paranoid communicate with their computer using morse code with their space bar and scroll lock LED. I can see it now:

Head of Investigation: "What have we got from the J Random Hacker log file?"

Computer Specialist: "84,365,928 spaces, sir"

Good news, bad news

Well, the good news is that the FBI still thinks I'm stupid enough to run Windows.

The bad news is sooner or later some idiot is going to lable Open Source a terrorist movement....

Idea: Come up with an app that sits on the SMB port (139, is it?) and acts like a Windows box... I believe the word is "honey pot"? One could port-redirect one's firewall to an old 486 running this thing, so as not to overload the firewall itself, and use QoS to keep the bandwidth down... sort of a LaBrea... well, not sort of, I consider ANYBODY trying to sniff around my computers a criminal, badge or no.

--
Keep your laws off my Internet

They sent it to me!

I received an email with the subject "Good Times", and I opened it. My browser popped open, and sent me to a site that had the headline, "See what really happens 'behind closed doors' when John Ashcroft and George Bush get together." My firewall picked up something weird, but I don't know anything about that, because I was already getting ready to format my disk.

Sand box system?

Couldn't you avoid this by running your encryption software (aka PGP) on a non-networked computer? Then xfer the cyphertext via floppy. And if you don't physically secure a box then you are just asking to be compromised.

No matter what they do they can't get at a non-networked box unless they physicaly break in and hack it and then again to retrieve the data (or transmit via radio waves). As for the networked box it never sees anything but cyphertext, no passphrases are used, and anything it puts on the floppy doesn't matter cause even if it gets on the sandbox it can't get anywhere.

Oh sure they could get tricky, do things with floppy boot sector virii that will run in the sandbox, log and save to the floppy, then re-run once it detects a network connection, but to this non-programmer that seems 1) problematic and 2) pretty easy to avoid. maybe even use CD-R or CD-RW.

Comments?

Easier Than I Thought

At first I thought that this was just stupid, because no one running a reasonably secure system, keeping up to date with the latest patches, etc, would be caught by it. But then I thought: why rely on already known (and fixed) and other yet undiscovered holes, when you can roll your own?

recently seen in #anti-trust:
*** BillG is now known as GMoney ***
<GMoney> How can we get out of this DOJ crap?
<FBI> I have this "security patch" I'd like you to distributed through Windows Update. Say it fixes some hole using malformed URLs in IE5 and IE6. No one will blink twice. I'm not even sure most XP users can read.
<GMoney> Will you put in a good word for me with the DOJ?
<FBI> Sure.
<FBI> DOJ: Let Microsoft go scott-free, or I post incriminating pictures of John Ahscroft and Hilary Rosen to usenet.
<DOJ> Rokie dokie, baws.
GMoney laughs maniacally.
FBI laughs maniacally.
DOJ tries to laugh maniacally, but chokes on the pencil eraser he was chewing.

*poof*. Insta-hole. Security patches are worthless if you can't trust the source. And yes, this wouldn't work with non-MS OSes, especially decentralized open source ones. I hope.

-Puk

Pedophile PATRICK NAUGHTON

...may have developed this software as part of his plea bargain. [mercurycenter.com]

As you well know, Java inventor Patrick Naughton, an ADMITTED PEDOPHILE [zdnet.com] developed secret software for the FBI so he can get out of jail sooner and be out on the streets molesting girls again.

ANYONE WHO MODERATES THIS DOWN MUST ALSO BE A PEDOPHILE

Please check my facts and moderate up

Illegal Access To Electronic Device

Surely they couldn't be planning on replicating it like a virus. Striking out a random and invading the computers of people they don't have authorization isn't just ethically suspect, it's a federal crime under current and highly visible law.

C//

How far will you let them go?

How many straws will it take before the people of the United States, the people who take pride in living in the "best nation on Earth", the "land of the free," stand up and say ENOUGH?

Is a sense of security worth allowing Stalinist Russia to be reborn in America?

How many straws, America? How many?

A new espionage tool. Immune System proposal.

Just as guerilla and terrorist tactics are effective responses to contemporary warfare, networked resource scanners and some degree of AI will become part of the arsenal of cyber theives and soldiers.

Problem is, as government-funded tools filter out into public networks it will spark a discussion of these tools in a public forum, which once they are decompiled and attack modes are diagnosed, will give tons of people the ability to launch more sophisiticated attacks. Either it's someone who reengineers it and hands it to script kiddies, or it's other organizations or nations which will feel an imperative to grab the next escalated technology level.

Consider: the article says "levels the playing field with criminals" or something to that effect. It also means the FBI will use tools criminals use. It is easy to see this becoming espionage when used against a foreign firm by the FBI or by someone else who has appropriated their technology.

Few firms have virus-busting firewalls or antivirus packages which can handle new attacks before they cause damage or hide in archived material. Perhaps the scariest thing is that if a new variant is created for a specific "sting", it could quickly take over many computers over a large geographical area (consider Code Red graphs) before antivirus manufacturers or the public at large come up with a patch. In the past there has been a chance at getting a patch before infection.

But with the public funding a combination of email hole, pc based server, network scanner, key logger, and encryption program defeater, it seems that we are *very* quickly going to enter a much more dangerous situation than ever before.

It is not possible that this technology will never be misused by the government.

It is not possible that this technology will remain in the hands of the FBI.

It is not possible that this will not accelerate worldwide efforts to provide more and more dangerous security-breaking software/services.

Because it is so cheap to develop this kind of a weapon, it is my opinion that it is 100% likely that terrorists, multinationals, and national security organizations around the world *will* coopt this technology or will develop something identical to it (or more powerful) on their own. This is the part that scares me. No more Net! Who will ever install a binary from a public server? Who will ever trust interactive content and the plugins which it requires? Who will be trusted to hold the keys?

The FBI is moving a physical wiretap capability highly limited by timing and resources, into a software wiretap regime of high speed, exponential viral growth, widespread destablization of security prior to a court order, and extremely low cost of deployment.

This attempt to coopt the entire networked computing base as a wiretap infrastructure is the most dangerous force I can identify to the world economy and spread of the Internet in all facets of life. It is very hard to have reasonable security for most people at broadband speeds, but one could be forgiven for hoping that problems would be solved in time. Not when the crackers' growth metric takes off exponentially and leaves pro-security forces behind.

I don't think I'd mind if this was used against the people who have attacked the U.S. In fact I'd be surprised if something more powerful wasn't used already. But now we are going to start getting a trickle-down of progressively military weaponry operating silently in our homes.

The cat is out of the bag.. and the technology obviously already exists. The only choice we have is to promote some kind of open source, open science project which could have some hope of markedly improving security in general, could dampen the effects of for example thousands of concurrent Magic Lantern - style attacks from every part of the world. To me, an open, international project is the only way to protect computing in the future.

The FBI already has plenty of tools, and there is no reason it can't improve its cyber attack capability without building such a dangerous system. I certainly don't want to protect the mafia. But unless proven otherwise I think we have to assume that things will get worse all around before they get better.

If you want to see a simulation of the "gray goo" doomsday of nanotechnolgy, simply wait a few months for the next wave of network pathogens.

We will not be safe until we have the U.S. and other governments on the side of the public, with a law against cyber-germ warfare and a well-funded infrastructure to combat cyber-pathogens which do appear with some kind of human and computer based immune system before we enter the age of the network-borne pandemic.

Good luck...

The FBI is evil, but not stupid. If they did it the best way possible, then their software probably replaces a key part of your operating system's networking code, so that even if you knew each and every process running and exactly what it does, you could still have their software installed and never have any way of knowing.

After all, it's doubtful that Microsoft would object to the FBI looking at their source code for such a project, it's doubtful that Apple would object--but even if they did, the lower levels of OS X are open-source Darwin--and of course Linux is open-source anyway. It doesn't seem too difficult for them to do.

It seems that if they were to do it the simpler way, it would be too easy to detect. If they installed it like a simple trojan, it would be trivial to detect, particularly by software such as ZoneAlarm and equivalents which monitor all attempts by programs to access the net. In fact, if it is what they used in the Scarfo case and they are using it now, if it were a simple trojan it would probably have been reported by now. People with something to hide know what software to use to protect them from such things.

For example, "Dr. Who's Encryption and Security FAQ" http://www.slack.net/~hermit/ebook/documents/secur ity.html is standard reading in newsgroups and on websites dedicated to privacy. It is also standard reading in newsgroups and message boards where child pornography is posted. It is probably also known to organized crime and other elements which engage in illicit activities and use computers. It explains in language most people can understand, the use of PGP, firewalls, various encryption and security software, and the threat of keyloggers and trojans and how to use software like ZoneAlarm to secure network access to only those programs you choose to authorize.

Call me crazy, but I think the FBI would take note of this readily available information and come up with a way to counteract it. Writing their trojan into your operating system itself seems like a damn good way to do this. Windows and Mac users and even Linux users expect certain processes to access the network, so why not exploit that to camouflage an "ultimate trojan"?

There would be only one way to counteract it, and this is mentioned in Dr. Who's FAQ: make detached PGP signatures for each important file in your OS that you'd expect not to change, and use a script to check them against the files each time you boot, or each time you choose to run it. If a file has changed, you know something is wrong.

Of course, this is very cumbersome--how many files exactly should you sign? Very tedious. I got to thinking on this some time back, and came to the conclusion that if you want the best possible security against unauthorized changes to your system, the best way might be to install your whole OS and all your apps, configure everything how you like, and immediately transfer the whole system to one file. Then, strip down your OS to the very minimal parts needed to boot and to check the signature on the "big file" and your stripped-down OS files, then decompress/mount then boot the whole OS in your "container" file. If you have lots of cheap RAM, you can decompress the file containing your OS into a RAMdisk to save some time and make the files less persistent. A lengthy process, depending on how big your OS/apps are, but if you want security there will be a price. This way, every file on your system is uncorruptable, untouchable by trojans and FBI spyware.

I experimented with just that using Windows 98SE, and though I don't know exactly how you'd do it with Linux or WinNT/2k/XP it is definitely doable with Win9x. First I installed Windows and all my apps, then made a Zip file (using no compression at all, for speed of unzipping at boot) of the whole system. Then I deleted the system except for minimal DOS command files and a RAM disk creation tool called xmsdsk.exe and a command-line unzip tool, altered Autoexec.bat to call xmsdsk with the parameters to make a 1GB RAM disk (there were 1.5gigs on the machine), called the unzip tool to unzip the file to the RAM disk, and had the config files boot Win98 from that drive. It took fiddling a bit, but finally I got it right and it worked. When my Win98 booted, in the startup folder was a shortcut to check the PGP signatures of all the startup files and the Big File that the system was stored in.

Not ideal. Quite slow to boot up. You can see why I don't actually still do this; it was more or less an experiment. But it did work. When the system was shut down, the RAM disk went away, and so any changes at all to the system would be undone. If the Big File the system came from, or any of the boot files, were modified it would show up the next time I booted when the signatures were checked. It was unweildy, but it did provide full protection of a sort I can't think how to have otherwise.

So, does anyone else have crazy ideas on how to provide security against such intrusions? Preferably ones that don't require a boot time long enough that you can go make breakfast in the intervening minutes.