Enhanced Carnivore To Crack Encryption Via Virus 522
suqur writes: "MSNBC has a story about a new Carnivore feature, dubbed 'Magic Lantern,' which arrives on a victim's computer in the form of a virus through email or well-known vulnerabilities. Magic Lantern uses keylogging to extract keys typed in, and sends them off to the FBI. This is similar to a story reported on previously, but taken one step further, allowing computers to be compromised remotely."
yyeeeeeesh. (Score:0, Insightful)
Legal? (Score:5, Insightful)
And what happens if this "happens" to get installed on a foreign government's computer? Can we say "espionage"?
AV software. (Score:5, Insightful)
Linux? (Score:2, Insightful)
Since it's vulnerablities in windows that seem to allow the FBI to get in, would linux be ok?
In addition, is this legal? To break in using vulnerablities? Wouldn't that make the FBI in essence doing illegal things?
This only works then because windows has security holes eh?
Virus or trojan? (Score:2, Insightful)
I'm sure trojans must have been used for keylogging before. But won't using this mean getting a wiretap order? I also don't know how this system will cross jurisdictions: can the FBI infect a user in another country to get secrets? Sounds like spying to me, and it would ensure countermeasures from other governments and a change in computing systems to defeat the virus.
I'm hoping that some antivirus company makes a scanning system to detect this 'virus' and eliminate it. Otherwise its a change to a more secure OS, or using GNUpg (they did only mention it working on PGP, didn't they?) could do the trick.
Heading to Canada... (Score:2, Insightful)
But if the software is a virus (or trojan, or some other malware), wouldn't that make it a tool of terrorism?
Does that mean we can have a military tribunal for the MIB?
This is sickening.
Please, please, PLEASE, somebody tell me that someone will write a program to watch for this "Magic Lantern" and disable it, or at least warn the user that it's installed.
Hmm...
Oh, and by the by... To anyone who wants to make that "if you're not doing anything wrong..." argument, please send me pictures of your wife naked. Just put my address on the back of a 3x5 print, along with your credit and checking account numbers.
Oh, that's private?
Then f**k off and don't let me hear you say it again until you're willing to put your money where your mouth is.
Quite rightly, I don't think that it's anyone's business to see the data on my computer, unless they have a real warrant and show up at my house with it. On the same token, I think that keyloggers should fall under wiretapping regulations. (Does anyone know if they do or not? Last I heard the FBI was trying to say that it didn't.)
It's going to take a LONG time to fix the damage our government is doing. If we're lucky, some of us will live to see something akin to real freedom again. If we're not, well, we'll just have to make sure that the stories get passed down to our children.
Maybe soneday I'll take the time to cohesively form my thoughts on this, but at any rate, I think y'all get the idea.
Re:AV software. (Score:3, Insightful)
I think you have to look a lot deeper than that. Even if Symantec tells me that they're protecting me against this "virus", can I really believe them? And what happens after that, does Uncle Sam release version 2? If you're Symantec, do you really want to draw the wrath of the government to fight a virus that isn't, and get into a codefight with government agencies? AV companies might have some deep pockets, but they're no match for our tax dollars, if Ashcroft decides he wants to spend our money this way.
This is the time when a foreign virus detection has the opportunity to jump into the limelight and steal some serious business from the big US AV companies.
Countermeasures? It's an Arms Race... (Score:2, Insightful)
I'm also wondering if you could rename/recompile PGP or other encryption software so that Magic Lantern won't trigger when it's activated. Also, entering a key without the keyboard (mouse clicks, off a .TXT file on a floppy, whatever...) would make keyboard logging useless.
Other ideas?
Encryption Security (Score:2, Insightful)
Store the encryption keys on removable media that is never left with the encryption machine when encryption/decryption is not actively being done.
Data in encrypted/decrypted form must be brought to the encryption machine via good old sneakernet (diskette).
Extra bonus points if the entire operating system and software suite on the encryption machine lives on read only media, such as a CD-Rom.
FBI Chief: What happen?
FBI Grunt: Someone set up us the disk.
No trolling intended but... (Score:2, Insightful)
Re:Legal? (Score:5, Insightful)
IF they do eventually make it illegal to block the virus then 'terrorist virus writers' can be guaranteed a hole in every system.
And it is not far-fetched that they would make it illegal to block it. For instance, it is illegal to wear a bullet-proof vest if you are in a situation where the police want to shoot you.
--jeff
Unlawful Search and Seizure (Score:2, Insightful)
They need a warrant (last I checked) to search someone's house. They need a warrant to use wiretaps.
Why is it that they think they can insert a 'virus' to log keystrokes? if this goes into the realm of Van Eck phreaking then I could understand (since van eck just picks up the stray emissions from your box...hmm, tempest anyone?), however, I still stand by the fact that *they need a warrant*
if they want to check out my files on my computer, knock on my door, present a _proper_ warrant, and proceed. That's the lawful way. Dumping a virus on someone's box is just uncool, and in fact, should render anything gathered from said box inadmissable.
of course IANAL...which is said all too frequently around these parts, any real lawyers care to comment?
Re:Encryption Security (Score:5, Insightful)
Remember Ken Thompson's hack! You only get the bonus points if you compiled the OS (and CD-ROM burning software) from source on a compiler you wrote yourself ;-)
Re:yyeeeeeesh. (Score:1, Insightful)
this two lines.
BYE BYE FREEDOM OF AMERICA!
Re:yyeeeeeesh. (Score:1, Insightful)
I thought hackers were terrorists? (Score:2, Insightful)
Don't read email on encryting pc (Score:2, Insightful)
But really, as long as the system you read email on isn't doing the actual en-/decrypting, they can both be on the net. Read email on one computer. Transfer files from and to the encrypting system over the network. This keylogging program, Magic Lantern, only works if the machine it infects runs the PGP program. It's useless if only the computer next to it runs PGP. Magic Lantern would still be installed on the email machine, but since it never runs PGP, it can't do anything. It can't perform keylogging on the encrypting computer, even if the two are networked. No need to use floppies.
Good news, bad news (Score:3, Insightful)
The bad news is sooner or later some idiot is going to lable Open Source a terrorist movement....
Idea: Come up with an app that sits on the SMB port (139, is it?) and acts like a Windows box... I believe the word is "honey pot"? One could port-redirect one's firewall to an old 486 running this thing, so as not to overload the firewall itself, and use QoS to keep the bandwidth down... sort of a LaBrea... well, not sort of, I consider ANYBODY trying to sniff around my computers a criminal, badge or no.
--
Keep your laws off my Internet
Sand box system? (Score:3, Insightful)
No matter what they do they can't get at a non-networked box unless they physicaly break in and hack it and then again to retrieve the data (or transmit via radio waves). As for the networked box it never sees anything but cyphertext, no passphrases are used, and anything it puts on the floppy doesn't matter cause even if it gets on the sandbox it can't get anywhere.
Oh sure they could get tricky, do things with floppy boot sector virii that will run in the sandbox, log and save to the floppy, then re-run once it detects a network connection, but to this non-programmer that seems 1) problematic and 2) pretty easy to avoid. maybe even use CD-R or CD-RW.
Comments?
Re:Legal? (Score:5, Insightful)
Could someone go to jail simply for NOT running an e-mail virus?
Could Microsoft, RedHat, Apple or Sun get in trubble for fixing a defect?
Could the government ask Microsoft to install a back door then on descovery when Symantic patches Windows to CLOSE the back door or if BugTrap discovers it and a third party patches it.. Would the government sue for discovery or patch?
And Linux hacks have been known to exist that (for security reasons) pretend to be known Windows back doors to employ known defects in script kiddy toolkits.
The defects themselfs could be easy to discover just in the way the backdoor works.. "Ahh here the script kiddy has a file reception system were I can send ANY file I want... any size.. oh and a typical redundency compression system.... Let's see compression code.. repeate "0" for 16 gig.. ok thats 6 bytes than expand into 16 gig.. He's dead.."
On the inverse...
"In todays news known terrorist Al Be Dumbby was set free on a legal technicallity.
The terrorist group 'born stupid' is now counter suing for infecting Al Be Dumbbys computer...
Many suggest this lawsute is an act of intelegence and disproves the groups contention that the terrorists have an inherent right to be stupid.
Others point out had Al Be Dumbby not clicked on the virus or used Windows to start with this wouldn't be an issue"
Re:This only works if.... (Score:2, Insightful)
Easier Than I Thought (Score:5, Insightful)
recently seen in #anti-trust:
*** BillG is now known as GMoney ***
<GMoney> How can we get out of this DOJ crap?
<FBI> I have this "security patch" I'd like you to distributed through Windows Update. Say it fixes some hole using malformed URLs in IE5 and IE6. No one will blink twice. I'm not even sure most XP users can read.
<GMoney> Will you put in a good word for me with the DOJ?
<FBI> Sure.
<FBI> DOJ: Let Microsoft go scott-free, or I post incriminating pictures of John Ahscroft and Hilary Rosen to usenet.
<DOJ> Rokie dokie, baws.
GMoney laughs maniacally.
FBI laughs maniacally.
DOJ tries to laugh maniacally, but chokes on the pencil eraser he was chewing.
*poof*. Insta-hole. Security patches are worthless if you can't trust the source. And yes, this wouldn't work with non-MS OSes, especially decentralized open source ones. I hope.
-Puk
Re:Problems. Oh, problems. (Score:1, Insightful)
No, company must post a signiture for the virus. If they're allowed to.
Even more insidious, would AV companies install backdoors in their protection software to allow for Magic Lantern?
They may be required to, by secret executive order perhaps. Then again, they are so big they may well encourage the plan. How better to enhance enforcment of DMCA, UTICA, SSSCA, etc. etc.
If this Magic Lantern is really spread as a virus, and costs the US economy thousands of millions, just like CODE RED, who is responsible for paying damages? The FBI?
The victims, the economy, you, I. You cannot sue the Feds without their permission.
Who can garuantee that Magic Lantern will wait until you start PGP? Can't the FBI log every keystroke? How fucking scary is that?
It won't wait, it will watch damn near everything. Technology already exists for sale as a support tool. I've seen it, it's way intrusive. They can watch your screen, keys, all I/O ops, and its a small Kbit datastream. See below...
Scary? You have no idea.
Is it illegal to detect and destroy Magic Lantern?
Would that be considered obstructing justice?
Does it matter? Seems they've taken it on themselves to hold people, uncharged, for as long as they like. Seems they don't even have to say they've got you.
How long until a "clean" program, ala Nimdaclean is developed, and will possesion of that be llegal?
May be, or not. See previous answer.
What will happen when America goes back to normal?
Rights of the people, once lost, are never returned again. Pretty much a fact of history. Revolution is the tradional was of restoring sanity to government, mostly by opening a window of time where it spends more energy regrouping than opressing it's governed.
Who will clean FBI software from our machines?
You.
Note the "small Kb datastream" limitation. They can pack nearly the entire user experience in there. But, there are ways to exceed the bandwidth. Start, for example, by handing your partner in crime a few DVDs full of key material...
That's the kicker. CRIME isn't what the Feds are looking for here. CRIMINALS, at least the ones that need be worried about, maintain a tangible circle of trust. UNDESIREABLES, like you, I, and P0rN buyers everywhere, are the only people this sort of thing is equipped to make an example of.
Illegal Access To Electronic Device (Score:3, Insightful)
Surely they couldn't be planning on replicating it like a virus. Striking out a random and invading the computers of people they don't have authorization isn't just ethically suspect, it's a federal crime under current and highly visible law.
C//
How far will you let them go? (Score:4, Insightful)
Is a sense of security worth allowing Stalinist Russia to be reborn in America?
How many straws, America? How many?
A new espionage tool. Immune System proposal. (Score:3, Insightful)
Problem is, as government-funded tools filter out into public networks it will spark a discussion of these tools in a public forum, which once they are decompiled and attack modes are diagnosed, will give tons of people the ability to launch more sophisiticated attacks. Either it's someone who reengineers it and hands it to script kiddies, or it's other organizations or nations which will feel an imperative to grab the next escalated technology level.
Consider: the article says "levels the playing field with criminals" or something to that effect. It also means the FBI will use tools criminals use. It is easy to see this becoming espionage when used against a foreign firm by the FBI or by someone else who has appropriated their technology.
Few firms have virus-busting firewalls or antivirus packages which can handle new attacks before they cause damage or hide in archived material. Perhaps the scariest thing is that if a new variant is created for a specific "sting", it could quickly take over many computers over a large geographical area (consider Code Red graphs) before antivirus manufacturers or the public at large come up with a patch. In the past there has been a chance at getting a patch before infection.
But with the public funding a combination of email hole, pc based server, network scanner, key logger, and encryption program defeater, it seems that we are *very* quickly going to enter a much more dangerous situation than ever before.
It is not possible that this technology will never be misused by the government.
It is not possible that this technology will remain in the hands of the FBI.
It is not possible that this will not accelerate worldwide efforts to provide more and more dangerous security-breaking software/services.
Because it is so cheap to develop this kind of a weapon, it is my opinion that it is 100% likely that terrorists, multinationals, and national security organizations around the world *will* coopt this technology or will develop something identical to it (or more powerful) on their own. This is the part that scares me. No more Net! Who will ever install a binary from a public server? Who will ever trust interactive content and the plugins which it requires? Who will be trusted to hold the keys?
The FBI is moving a physical wiretap capability highly limited by timing and resources, into a software wiretap regime of high speed, exponential viral growth, widespread destablization of security prior to a court order, and extremely low cost of deployment.
This attempt to coopt the entire networked computing base as a wiretap infrastructure is the most dangerous force I can identify to the world economy and spread of the Internet in all facets of life. It is very hard to have reasonable security for most people at broadband speeds, but one could be forgiven for hoping that problems would be solved in time. Not when the crackers' growth metric takes off exponentially and leaves pro-security forces behind.
I don't think I'd mind if this was used against the people who have attacked the U.S. In fact I'd be surprised if something more powerful wasn't used already. But now we are going to start getting a trickle-down of progressively military weaponry operating silently in our homes.
The cat is out of the bag.. and the technology obviously already exists. The only choice we have is to promote some kind of open source, open science project which could have some hope of markedly improving security in general, could dampen the effects of for example thousands of concurrent Magic Lantern - style attacks from every part of the world. To me, an open, international project is the only way to protect computing in the future.
The FBI already has plenty of tools, and there is no reason it can't improve its cyber attack capability without building such a dangerous system. I certainly don't want to protect the mafia. But unless proven otherwise I think we have to assume that things will get worse all around before they get better.
If you want to see a simulation of the "gray goo" doomsday of nanotechnolgy, simply wait a few months for the next wave of network pathogens.
We will not be safe until we have the U.S. and other governments on the side of the public, with a law against cyber-germ warfare and a well-funded infrastructure to combat cyber-pathogens which do appear with some kind of human and computer based immune system before we enter the age of the network-borne pandemic.
technology versus law (Score:2, Insightful)
No Warrant Needed? (Score:2, Insightful)
Now I'm starting to feel paranoid.