Forgot your password?
typodupeerror
Security

FBI Confirms Magic Lantern Existence 461

Posted by chrisd
from the aldous-would-be-proud dept.
The_THOMAS (and many others) writes: "A day after major anti-virus firms waffle on their support for 'Magic Lantern', and nine days after Thomas C Greene of The Register tried to throw cold water on it's existence, the FBI Confirms the 'Magic Lantern' Project Exist. Welcome to a Brave New World!"
This discussion has been archived. No new comments can be posted.

FBI Confirms Magic Lantern Existence

Comments Filter:
  • ITS (Score:2, Informative)

    by Building (6295)
    ITS ITS ITS ITS ITS! NOT IT'S! AAAAAAAAGH! http://angryflower.com/bobsqu.gif [angryflower.com]
    • LOL... glad to see you are as irritated by that as I am. Thanks for the post.

      AGAIN: If you can't replace "it's" with "it is" in the sentence you were using, use "its". "it is existence" would not be correct; therefore, the correct form of the word is "its".

      I don't want to be a troll, but I'm really sick of seeing this kind of amateurish grammar on Slashdot, and I know I'm not the only one. Taco seems to have given up. He always uses "its", but that's not correct either! Remember the "it is" rule stated above, and you'll be correct every time.

      P.S. "Better then" is not correct either. When comparing, use "than."
  • As an administrator of several Linux boxes at work and at home, I was wondering whether or not I could be affected by the "Magic Lantern" program. The results came in, and quite frankly, I am frightented.

    To start, I talked with my colleague's brother, "Joe," who is a criminal defense attorney. Joe told me that he has been following the Magic Lantern debate very closely, because his sources indicate that the FBI will be using it in many, many cases to prevent the possibility of seizing equipment with undecryptable data on it. In fact, it has been rumored that the proposed new FBI policy regarding searches of premises requires agents to attempt to use Magic Lantern (which technically counts as a consensual search) prior to even obtaining a warrant, if the warrant is to seize computer hardware.

    Joe is not very familiar with computer technology, but he did say that a large part of the Magic Lantern program involves contacting ISPs to allow the FBI to alter network data destined for the suspect's computer. I will take that at face value because they seem to have no problem pulling rank on ISPs. I suspect that their "do it or we'll arrest you" attitude plays a big part in this.

    With all of that in mind, I decided to find out just how vulnerable I was. I set up a stock Debian 2.2r3 box, and a stock Red Hat 7.2 box. Both used the installation CDs produced at least a few months ago, so they were both vulnerable to the wu-ftpd exploit and would need to be upgraded for production use.

    My goal was simple: I needed to play the part of the FBI, and trick my machines into accepting a trojaned version of the new wu-ftpd package.

    First, I set up a transparent proxy on my gateway box, which is used to split my cable modem connection amongst my home machines and those of several neighbors. I used a program called "squirm" to rewrite URLs ending in .deb or .rpm so that they would be redirected to my local web server, from which the trojanned .deb and .rpm files would be served.

    Second, I produced trojaned .deb and .rpm files. The .deb file was trivial to modify, as only a checksum stood between me and a valid hacked version. The .rpm was a bit more difficult, because RedHat signs their packages with a PGP key. However, once I rebuilt the package and did not sign it with PGP, I had a fixed package.

    Third, I went to the Debian box and typed 'apt-get update ; apt-get upgrade'. After a few routine prompts, none of which triggered security alerts, the box was rooted by my "custom" package.

    Fourth, I went to the Redhat box and did an 'rpm -U' pointed at the updates.redhat.com server. I got my trojanned RPM back, with no warnings or prompts to tell me it hasn't been signed. And I had an ftp server with a new backdoor up in a matter of minutes.

    So, to summarize: the FBI can easily set up a transparent proxy between you and the Internet, and trick your OS into installing malware. You're damned if you do and you're damned if you don't, because you need to download the wuftpd-of-the-week sometime.

    As a matter of comparison, my Windows 2000 box has no such vulnerability. The first time I went to Windows Update, I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine. Even if the FBI forces Verisign to issue an impostor certificate, it will be detected and thwarted.

    Linux distributions need to band together and find a trusted individual who will be responsible for signing all packages and verifying that they do not contain backdoors. That is the only way to solve this issue. Personally, I nominate Eric Raymond, because of his widespread respect from the community and business leaders alike. Additionally, he is a staunch libertarian and would not cave to government pressure to insert backdoors into something that he has signed. I believe that by charging the distribution vendors a small fee per package, ESR can again achieve financial success for himself and his family.

    This is a serious issue for Linux users and I believe it should have been addressed years ago. That said, now is not too late and definitely not too early. I look forward to seeing this feature in all future releases of the major Linux distributions.

    df

    • Grab the source, check your code. Don't trust downloadable binaries any farther than you can throw your computer.
      • Not an easy task (Score:2, Insightful)

        by dfeldman (541102)
        Installing a new program could take several extra hours if I were forced to download, audit, and compile the source.

        The super-paranoid will be safe from Magic Lantern because they probably don't upgrade software often and they probably patch security holes themselves. But for the rest of us who want to *use* our computers, this is an enormous problem.

        df

      • Grab the source, check your code. Don't trust downloadable binaries any farther than you can throw your computer.

        Lets assume that you do, do you really have the time to check every line of code in wuftpd, or sendmail, or the kernel, or any other download?

        All it would take is transparent rewrites from kernel.org to a new compromised kernel.

        Can FTP affected by this?
    • by ShaunC (203807) on Thursday December 13, 2001 @01:26AM (#2697603)
      The first time I went to Windows Update, I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine.
      So what happens if Microsoft allows Magic Lantern to be bundled inside the next .cab you get from windowsupdate.com - which, of course, is signed by Microsoft? You raised the point that ISPs tend to bend over, so you can't rule out the possibility that Microsoft might do the same.

      Shaun
      • by Anonymous Coward
        What's even worse:

        It's an American idea, an American problem and based on American laws... and you are enforcing it on the rest of the world

        What's left to us rest-of-the-world-westeners is to stop buying US software because otherwise we risk that our secrets will be sold to American businesses by the CIA/FBI gang... as it has happened before on numerous occassions where European companies (Siemens, for instance) suddenly lost deals in the middle east. Not enough that they eversdrop on our mobile phone communications (Echolon), now they bug our software...
      • Anything that looks like it came from Microsoft, by any of Microsoft's certificates, will be blindly accepted. Personally, I never trust anything from Microsoft. "Always trust content from Microsoft Corporation" sounds too much like "Always trust the fox in the chickencoop".
    • A Slackware user myself, I am somewhat used to retrieving the source of my updates and compiling them myself. Although I don't check all of the PGP keys, most of the source I update regularly DOES have a digital signature.

      Technically, Windows Update could insert something that removes the need for Microsoft's signatures and the Debian example would work just as well for our friends at M$.


      As a similar matter of example: With W2K SP/2, M$ decided to disable the ability to disable Windows File Protection. A nice concept in some respects, but forces you to keep whatever files M$ thinks you should have... say... NetMeeting (or any other program you no longer get to uninstall.)

      A bit of research, and a good-ole 2 bytes of NOP carefully inserted disables WFP. I was a bit shocked when I realized it did work! I boot W2K now, and although no WFP causes an event log message, the only way to tell my SFC.DLL is hacked is to test the signature manually! No "A Windows File Fails Integrity Checks" error message comes up. It could have just as well been the FBI's hack. Or, worse yet, the FBI could use WFP to ASSURE that you can't replace their files with a clean, non-recording version!...


      Shiver

      P.S. Try using SSH + SFTP. Beats the WUFTP problems and the tricky firewall rules FTP bringeth.

    • I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine. Even if the FBI forces Verisign to issue an impostor certificate, it will be detected and thwarted.

      I do not think that means what I think you think it means.

      You are wrong in a couple of ways: 1. What makes you think the FBI wouldn't be able to get a valid signature on Magic Lantern if they so desired? 2. You haven't actually denied non-properly signed software, you just made it so that properly signed software can be installed without you knowing about it. 3. The signature part is only checked by the windows installer service. You can put software on a machine without using the installer service. The faint sound of NIMDA and Code-Red poinding on my firewall is proof of that.

    • by seifried (12921) on Thursday December 13, 2001 @01:35AM (#2697641) Homepage

      Most major vendors (with the notable exception of Debian =( ) sign packages using GNuPG. You can check these signatures using rpm. There is no need to get Eric raymond to sign stuff (and he's supposed to read all the source code, then build all the packages on his own machines? excuse me?). I suggest reading the following two security advisories, which point out some mistakes that have been made, and one possible attack, but also largely corrected by vendors, and can be easily verified by users with minimal effort.

      Devil in the details - why package signing matters [seifried.org]

      Red Hat 7.2 GnuPG signed RPM verification fails on distribution files [seifried.org]

      RPM PGP/GnuPG verification bug [seifried.org]

      • by dfeldman (541102)
        And 'rpm -U' doesn't say a single word when I install an unsigned package. By the time I could see that the package was unsigned (and potentially a copy of magiclantern-i386.rpm), it would be too late.

        Distributions should reject packages that aren't signed with a trusted key by default. And make the user specify the --really-install-an-untrusted-package flag in order for the package manager to accept it.

        df

    • Out of curiousity, was there any earthly reason for the box you were dealing with to be running an ftp daemon?
    • by Tackhead (54550) on Thursday December 13, 2001 @01:38AM (#2697656)
      > I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine. Even if the FBI forces Verisign to issue an impostor certificate, it will be detected and thwarted.

      You, sir, are not merely a troll, but an expert troll, and I applaud you for a job well done! Thanks for the best laugh I've had this thread.

      References: Slashdot article: Don't Trust Code Signed by 'Microsoft Corporation' [slashdot.org]

      Microsoft bulletin detailing story of VeriSign issuing two Class 3 code-signing digital certificates to an individual fraudulently claiming to be a Microsoft employee: Erroneous VeriSign-Issued Digital Certificates Post Spoofing Hazard [microsoft.com]

      • Expert troll he is, but sadly a little too expert this time. Microsoft can issue false Verisign certificates till the cows come home, but if you only ever trust the one shipped with your computer (like the troll said) then no matter how many other packages signed by "Microsoft Corporation" show up at your computer, you will never install them. If you only trust that one certificate, then someone attempting to trojan your machine must get their trojan signed by the master Microsoft Verisign key. His argument hinges on the assertion that Microsoft would never sign a government trojan.

        So basically, he was right, and you were wrong.

        Wait, who's the troll again?
        • True, but what to do when the next security vulnerability shows up - and the patch is not signed by your trusted certificate, but by another Microsoft certificate? Upgrade, and install a patch that could be trojaned; or refrain, and leave a vulnerability wide open.

          /Janne
      • > Microsoft bulletin detailing story of VeriSign issuing two Class 3 code-signing digital certificates to an individual fraudulently claiming to be a Microsoft employee: Erroneous VeriSign-Issued Digital Certificates Post Spoofing Hazard

        Actually, in this case it is safer to actually always trust Microsoft. The reason is simple, if you always trust Microsoft and you get an executable signed with the fraud verisign signature, you will be asked if you want to run this file signed by Microsoft corporation. Now you should know that you always trust Microsoft, and therefore you shouldn't be asked if you want to run a file signed by Msoft. However, if you don't always trust msoft, it won't surprise you when you're asked if you want to run a file signed by them.
    • In the case of Redhat at least, if you use up2date to update your system, each rpm is checked for a GPG signature.
    • As a matter of comparison, my Windows 2000 box has no such vulnerability. The first time I went to Windows Update, I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine. Even if the FBI forces Verisign to issue an impostor certificate, it will be detected and thwarted.

      Why can't the FBI use Microsoft's real certificate? Why wouldn't Microsoft work with them? Are you so certain that "always trust content from Microsoft Corporation" is such a good idea?

      Even then, the code which checks a newly-downloaded package against the MS certificate is on your computer, right? It could be modified by anything (say, a virus) which had the right permissions to do something different, like checking against a certificate on microsoft.fbi.com, correct? Perhaps this will be the next "I Love You" payload (or the last one).

    • First off, this shows how much we need to have some kind of open registry of certificates. I mean, does anyone really trust Verisign, especially now that they own NSI? I mean, talk about people willing to give up credibility in order to pursue monopoly.


      Also, is there not a way in which we can set up some kind of distance authenticity verification? Or routing verification?


      What if there was a service set up that allowed us to send out a request through an alternate random routing (for which we got back and traceroute list to verify) and set a codekey on the machine, and then when we connected to the machine, it would only connect if it had the codekey. Even if they spoofed the network connections and routing, then we wouldn't be able to connect, since we'd know that there was no codekey there. Granted, doesn't solve the problem, but it quickly says to me, time to get a new ISP who doesn't let the Feds run the whole deal.

    • Well, leaving the windowsupdate sillyness aside for the moment, this post does raise an important question: why does Debian not sign debs? That would protect not only from magic lantern but also from a Debian mirror being rooted and corrupt debs intentionally uploaded?
    • by warpeightbot (19472) on Thursday December 13, 2001 @02:56AM (#2697848) Homepage
      Despite this post being a monstrous troll, I think there is a good idea here...
      Linux distributions need to band together and find a trusted individual who will be responsible for signing all packages and verifying that they do not contain backdoors.
      I agree. I think there should be multiple independent verifiers across multiple nationalities, and you should be able to get your RPM's or debs from one country and your crypto checksums from another, and if they don't line up, you'll know something is rotten in Denmark (pun intentional). I nominate ESR, Alan Cox (that's Mister Cagey to you :), Marcelo Tosati, and I think we should have someone from continental Europe (somewhere with good privacy and crypto laws) and someone from Japan (or maybe South Korea if they have a good net connection)... the idea is that this would be done overnight by kicking off a shell script, so that these busy individuals wouldn't get bogged down with doing this, just that they're knowledgeable enough to see it done and well-known enough that there's a trust factor. I wouldn't be averse to more, but not too many more; if we let just any schmoe do it without the Internet equivalent of a background check, somebody's going to start feeding bogus data.... and of course the algorithm to generate the checksums should be GPL, and one should be able to use a known compiler source package, a known algorithm source package and a source rpm/deb and regenerate the compiler, the generator, and the package and duplicate the results.... sort of Linux From Scratch in miniature, just to check...

      Of course, I wonder just how far the Fibbies will actually go in doing this. Most criminals are stupid. Hell, al Qaeda stood out like a sore thumb, it's just that most modern Americans have had their senses so dulled by television and government schools that nothing makes them paranoid anymore....

      Sure, our hero slapped something together that dropped a back door in nothing flat. How many guys that smart are going to go work for what Uncle Sugar pays? How many of the ones that are smart enough actually know something about Linux?

      And then there's the question of sheer manpower. Sure, they can tap your data, but who's going to go thru all that crap? They simply don't have THAT many Beowulf clusters....

      If I was Ashcroft, I'd settle for netting all the Windows users, and worry about all those other OS's if and when I had a specific hard target. Once they hard-target you, you're a goner anyway; if they can't get what they want by giving you a Windows virus, they're just gonna come bust your door down. Meanwhile, I think most of us non-Windows users are relatively safe from any fishing expeditions the Fed might want to do on our hard drives.

      And so it is that the umpteen zillion different distros of Linux becomes one of its advantages....

      Besides, Red Hat has already let on that it's not going to play ball; remember that early release of a security patch (was it wu-ftpd?) that caused the flap a few weeks back? I think Bob Young and company had a lot of balls for doing that; it shows that his loyalty is to his users, and not to some calbal in some smoky chat room... I hope and pray and offer virgin sacrifices that it stays that way. Of course, there's also OpenBSD; Theo, cagey bastard that he is (and I *like* cagey bastards in these situations), isn't going to play cloak and dagger with *anyone*. I figure if anyone *tried* he'd raise six kinds of hell.

      Bottom line, folks, there are more of us than there are of Them; they can't get to us all. And try and remember, if they do try to get to you, your first obligation is to escape and warn the rest of us. We have to hang together... lest we all hang separately.

    • by Overfiend (35917) on Thursday December 13, 2001 @05:41AM (#2698033) Homepage

      With all of that in mind, I decided to find out just how vulnerable I was. I set up a stock Debian 2.2r3 box... I went to the Debian box and typed 'apt-get update ; apt-get upgrade'. After a few routine prompts, none of which triggered security alerts, the box was rooted by my "custom" package.

      Progeny Linux Systems wrote, tested, deployed, and submitted as patches to Debian, code to implement cryptographic package signatures. Some of the patches now exist in dpkg CVS, but Wichert Akkerman rejected others. Part of it had to do with a command that would prompt you (package maintainer) for your GPG passphrase and cache it so that it could be applied to each binary package (consider how tedious it would be to re-type the passphrase for each binary package in a package like XFree86, which has dozens; moreover, you're no *more* susceptible to a keystroke logger if the passphrase is cached). Anyway, this tool was written in C for security (locked memory pages), but Wichert wanted a version in Python instead, so he never accepted the code.

      I never have quite figured that one out.

      Anyway, since Progeny ceased development on its own distribution, not much work has been done on our signed package implementation. The code has already been publicly released; maybe it's time for people in the Debian community to take up the fight?

      The specification, authored jointly by Ben Collins and John Goerzen, allows for multiple signatures per package. I wrote a policy administration tool called apt-checksigs that would let the user configure the strictness of signature checking on a per-repository basis.

      Is anyone interested in this stuff?

    • I suppose that'll teach me for getting my rpms' from fbi.gov..

    • so you proved to me that my switch to slackware increased my security even further as I dont have tools that will allow a download and then execute (up2date) the download.

      Actually cince I switched back to slackware, I can now use source code again, as the ./configure;make;make install process doesn't break slackware as it does with redhat.

      The problem with your attack is that they have to anticipate that I will want bigboobies_3.12_src.tar.gz within the time limits before they raid my house. sure they could profile me by watching my traffic and habits for a 30 day period. but then I am so fickle I doubt that they could get an accurate profile. The only thing I do regulary is read slashdot and freshmeat, I jump around on so many projects for work and personal use they would have to try and spoof about 30-40 different sourcecode packages in-order to get it on my machine, and then hope that I dont look throught the sourcecode.

      but then most terrorists and violent criminals dont have the brain power to compile sourcecode let alone know what slackware is.
  • Paranoia (Score:4, Interesting)

    by Jebediah21 (145272) on Thursday December 13, 2001 @01:05AM (#2697510) Homepage Journal
    I'm not worried about Magic Lantern. I'm worried about the stuff we haven't heard about yet. Really, if the FBI wants to spy on citizens (or criminals for that matter) there is no way they would let their ideas be known.
  • I'm can't believe they admitted it, talk about a smoking gun. Public opinion is just now turning towards questioning the "anti-terrorist" actions of our government. We could have figured out they were spying on us, I wonder what force inside made them be honest about it for once.
  • While the FBI requires a court order to install its technology, formerly called "Carnivore," some service providers reportedly comply voluntarily...

    Yes, I know this part is old news. Still, it makes me cringe whenever I see it. I assume there have been discussions of lawsuits/injunctions against ISPs to keep them from divulging this kind of stuff without a customer's consent. Could anyone post links to resources out there on these efforts for me? Thanks in advance.

  • Not a great idea (Score:3, Insightful)

    by Zeinfeld (263942) on Thursday December 13, 2001 @01:16AM (#2697561) Homepage
    The principle risk to an investigator using a probe like Magic Lantern is that it is more likely to tip off the target that they are under investigation than to provide useful intelligence.

    Viruses spread because each time a user is infected they spread the infection to an average of more than one user. Most viruses die very quickly. Of the thousands launched each day only a handfull infect more than a few hundred sites. The probability of infecting a particular machine is actually quite low. It is going to take rather more effort to spread the trojan payload than the FBI expect.

    Simply sending out random spam and hoping the target opens an executable that installs the trojan is not likely to work. A more likely means of succeeding is to attach the trojan to a downloaded executable.

    A much easier solution with lower downside risk is simply to install a good old fashioned room mike or to use CRT radiation to snoop on the screen.

  • BORRRRING! (Score:4, Funny)

    by cscx (541332) on Thursday December 13, 2001 @01:16AM (#2697565) Homepage
    You know, this Magic Lantern thing will sure make life boring. Whatever happened to the good ole days when the feds actually had to sneak in your house and plant a bug inside your coffeemaker (like in all those cool 80s action movies)? Man the feds are sure getting lazy.
  • Oh goodie! (Score:3, Funny)

    by loraksus (171574) on Thursday December 13, 2001 @01:23AM (#2697589) Homepage
    So now the FBI will be able to catch terrorists even better!
    What this country needs is more power and oversight by police agencies - East Germany had it right when "smell samples" were collected in jars so dogs could hunt down disenters.
    Of course, this will mean nothing to civil rights because as we all know that the FBI is a trust worthy organization that would never do things that would jeopardize our civil rights by installing key loggers via internet virus (because that would not exactly be targeted eh?.

    The FBI is also trust worthy, they would never, for example, abuse the justice system by, say using RICO (anti-organized crime) laws to punish pesky protesting environmentalists, or arbitrarily ask nearly all muslim students in the USA to come in for interviews (and chase them down if they don't come by) - or even threaten to reveal that a person charged with a crime is gay (and cause his suicide)

    And they would never do anything like compile a list of "persons of interest" and maintain a dossier on each person in the USA that has been charged (not convicted) of a crime), as well as all immigrants in the USA (they did a mighty fine fucking job lately eh?)

    Don't worry, the FBI will protect you in the future because of their new powers!

    BTW, would it be in a anti-virus company's best interest to reveal that their software has programmed defects? I dunno. . .
  • by Millennium (2451) on Thursday December 13, 2001 @01:23AM (#2697590) Homepage
    Look, guys. It's simple.

    Get a warrant. I'll show you anything you want to see, but show me your goddamn warrant first. Until you have it, you have no right whatsoever to search my, or anyone else's computer. I don't care what your reason is. This is not acceptable.
    • Of course, a warrant doesn't necessairly mean that a person has to be notified (I believe the time limit was increased to 3 years), so theoretically, the fbi could get permission to magic lantern a person of interest and then "forget" about it, and continue gathering information well after the investigation is closed.
    • Get a warrant. I'll show you anything you want to see,

      that's listed in the warrant. Don't get a warrant to search my workshop and then decide to search my house while you're here.
  • by webwench_72 (541358) <[webwench_72] [at] [yahoo.com]> on Thursday December 13, 2001 @01:28AM (#2697617) Homepage
    Why were they honest about it now? Simple: this is the best political climate the FBI could have asked for to reveal something like this.

    Surveys show that most people, given the 9-11 attacks, are more than willing to trade freedom for security.

    "A recent ABC/Post survey found two out of three people expressing willingness to surrender 'some of the liberties we have in this country to crack down on terrorism.' Cole attributes this not only to a heightened concern for safety, but to the fact that the majority are not generally affected--that is, it's not their relatives being detained and questioned." (Taking Liberties: Fear and the Constitution [prospect.org])

    "At times like this, a democracy must balance its need to protect itself with the freedoms that define it. Last week's terrorist attacks have raised the debate pitting homeland defense against civil liberties to a level not seen since World War II." (For now, security trumps liberties [csmonitor.com])

    "From the very first surveys after the World Trade Center and Pentagon attacks, most Americans told pollsters that the country would have to give up some rights to fight terrorism (79 percent in a CBS/New York Times poll in September). A Gallup survey conducted Nov. 26-27 found six in 10 Americans who said the Bush administration has been 'about right' in its limits on civil liberties, as opposed to 10 percent who said the administration had gone too far and 26 percent who think it hasn't gone far enough." (Public Supports Domestic Crackdown on Terror [publicagenda.org])

    After all, if you're innocent, what do you have to worry about anyway? :grin:
  • by Anonymous Coward on Thursday December 13, 2001 @01:38AM (#2697659)
    I wish more people would actually read Huxley's "Brave New World" before applying that phrase everytime government gets a little out of control.

    Seriously, "Magic Lantern" and all the other privacy-invasive technologies used to snoop on private citizens are still a far cry away from the world of "Brave New World." After all, we still possess enough of our wits to question whether these steps are necessary, legal, and ethical. The folks in "Brave New World" didn't even go that far.

    We are much closer to Orwell's "1984" then we are to "Brave New World." And I'm not sure which is the more frightening.

    In 1984, the government had to force people to behave using the classic methods of tyranny. In Brave New World, the citizens were kept so damn happy that they would never question that the government didn't have their best interest in mind, regardless of what it did.

    Remember: in 1984, our protagonist was someone from withen the society who began to realize what a living hell he was in and began to try to do something to better his condition. In brave new world, our protagonist was someone how came from outside of the society, having been raised on a "reservation". It was only because of this distance from the reality of the "Brave New World" society that he was able to see how awful it truly was.

    • Read it online (Score:4, Offtopic)

      by kimihia (84738) on Thursday December 13, 2001 @03:36AM (#2697924) Homepage

      It isn't hard to read. It is available online for free reading [huxley.net]. Have a look. I took the time out to read it - and now I know what the parent to this post is on about.

    • And anyway, the phrase originally comes from Shakespeare's The Tempest:

      "Oh brave new world, that has such people in it."
    • Hmm... Good point, but not perfect. If you look around you'll notice that most people don't care about such things. As long as they get their soap operas, their cornflakes and their supermarkets they're as happy as people in "Brave New World".

      And who protests? Geeks, living partialy in some abstract cyberspace, and various idealists like libertarians or people who still believe in American Democracy as some ideal being which exists and now is threatened by evil FBI, NSA or whatever. All these are also kind of outsiders.

      So, I would say, we're somewhere in between: nobody's gonna use rats if you say that the goverment is evil, and most of the people are happy with their freedom shrinking, but still, it's just _most_ of the people, not everyone.

      Rav
  • "We have a new software that does not exist yet but will give us the ability to infect a computer remotely"

    With a remotely installed spy app they could remotely uninstall it. AKA no search warrant needed to get it on there in the first place because they can remove it any time they want causing a gapping hole in the 4th amendment (remember the Bill of Rights?). The other thing is how do they get this installed on a Linux system? The same binaries that work on win32 systems will not work natively on nix systems. Does this mean it could be the first Trojan to work across multiple OS's?
  • I have no problem whatsoever of the FBI's using something like this, as long as it fits within the realms of how they already do investigations.

    my fear is what if the FBI comes up empty after trying magic lantern against a target?

    iow - install it, then fail to find or obtain what they're looking for. Will the warrants require removal of the lantern after a certain amount of time?

    And what about repeated failures? Get into the computer, not find anything, back off, get another warrent, try again, still nothing. Would there be limits on how many attempts there are? Or a limit to the the number of searches within a given timeframe?
  • most AV tools monitor program execution for anomolis behavior by unknown virii. would magic lantern be able to avoid being detected by that?

    also, what about personal firewall programs? I use Tiny Software's PF (yes, under Windows, sad isnt it) that checks the md5 of an executable before granting internet access. on top of that, it can allow you to block certain apps from making/accepting connections from various sites. for example I have it set to not allow Mozilla access to doubleclick and some other ad servers.

    Here, two things exist: the lantern has to find a way around the md5 and also find a way around asking the user "PGP wants to connect to [fbi-ip-address], allow it? (y/n)" Getting through one or the other might prove difficult.
  • Yeah. Right ... (Score:3, Insightful)

    by Rosco P. Coltrane (209368) on Thursday December 13, 2001 @01:51AM (#2697704)
    "Anti-virus software vendors said Monday they don't want to create a loophole in their security products to let the FBI or other government agencies use a virus to eavesdrop on the computer communications of suspected criminals."

    And in 1968, the Hugues Glomar Explorer was looking for nodules on the pacific floor ...

    Seriously though, how plausible do you think the following scenario is :

    McAfee receptionist : Hello gentlemen, how can I direct you ?

    Men in black : [showing their IDs] We work for the department of Homeland security. We need to speak to the CEO at once. You also are not to mention our visit to anyone by measure of national security.

    MR : [picking up the phone] Mr. Sampath, important visitors for you.

    Srivats Sampath : What can I do for you folks ?

    MIB : Your company is under strict orders from the FBI and the department of Homeland security to provide appropriate backdoors in the software it produces. These backdoors are confidential-defense and must be revealed to the following persons only : [list of persons]. Any of you or your employees who have knowledge of these backdoors who reveals the existence of the backdoors will be detained and judged by a military court. Any question ?

    SS : [going into brown alert] Yes yes Mister, anything you say. Have a good day Sir.

    SS : [later, talking to the PR guy] John, write the following press annoucement and send it immediately to PRNewsWire : McAfee will NOT NEVER EVER UNDER ANY CIRCUMSTANCES NOT ON YOUR LIFE install any backdoor ever in our software. Never ever. Promise.

    You think I'm paranoid ? Heck yes I am. The above is a bad fiction, and if nothing else, it certainly shows that I have no knowledge of who does what in the government, but my point is : none of these anti-viruses are open-source, how the hell are we supposed to know they're saying the truth ? especially nowaday, can you really trust anybody even remotely involved in computer security to tell you the truth ? Well, I'm taking the easy way out of that dilemma and I'm sticking to "alternative operating systems" that don't require proprietary anti-virus softwares in the first place, and that are known not to contain backdoors as long as the user administers the box properly.

  • How about programming a "hardware abstraction layer" that would interact between the input and the system and the output.

    The layer would only allow input to be passed to a specified program, and output would be passed only from that program - encryption would also be used between the input / system / output.

    Sort of like an encrypted remote login, except that it would take place within / on the same machine, sorta a basterdized winnt.

    It would be a shitload of programming methinks (i.e. a new shell, re-written (or heavily modified) programs) I dunno, I could be full of shit. However, if you would only be using the prog for the encryption of files / sensitive data . . . possibly send output to another device instead of thru the vid card..
  • by webwench_72 (541358) <[webwench_72] [at] [yahoo.com]> on Thursday December 13, 2001 @02:10AM (#2697752) Homepage
    There's a homily about how, when everyone is a lawbreaker, government has total control over everyone -- there will always be a pretext for detaining any person.

    As another poster mentioned, it is quite likely that none of us would like to have all of our keystrokes made public -- some of our innermost thoughts go right through our keyboards, and Magic Lantern wouls apparently make no distinction between keystrokes that you intend to publish on the web, and those intended to stay private (financial info, personal letters, diaries, medical correspondence). If you think this sort of tapping would only occur under warrant, you aren't following the latest news.

    Since 9/11, we already see our government detaining people for more extended periods of time even when the detaineee has not been accused of a crime, refusing to share the evidence [sfgate.com] against those detained, and the Dept of Justice is even, per AG Ashcroft, allowed to monitor conversations between people in custody and their lawyers [aclu.org]. That last one applies to everyone, and is not limited to suspected illegal immigrants.

    This is the top of a very slippery slope. If we give away rights to privacy in our homes and with our legal counsel, we will never get these rights back.

    "A man who gives up some of his liberty for a little temporary safety deserves neither liberty nor safety." - Benjamin Franklin

    "Whether or not legislation is truly moral is often a question of who has the power to define morality." -- Jerome Skolnick
  • by Supa Mentat (415750) on Thursday December 13, 2001 @02:11AM (#2697756)
    It seems to me that keeping Magic Lantern from working should be fairly easy for any terrorist who knows that much about it. He could have the computer that he writes and encrypts whatever it is he wants to send out disconnected from any network. Once the (let's say) email is written and encrypted he puts it on a disk goes over to another computer hooked up to the web and sends it off. Terrorist number two recieves it on one computer, puts it on a disk, loads it onto a disconnected computer, and decyphers the message using his key for the encryption scheme they used. This way, no computer that has the encryption on it (and thus the keystrokes) is hooked up to the internet and so can't get magic lantern. And if it somehow was infected, magic lantern would have no way of sending the info back to the FBI. Am I wrong? Shouldn't this work?
    • I suggested something like this the last time this topic...I think it would work, and I can think of several other solutions without too much difficulty. How about using Drive Image to create CD-R Image disks of your O/S sans Magic Lantern and re-format and restore from the disks on a regular basis? What about other tried and tested methods of securing communications, such as one-time pads or pre-arranged codes? I think what the FBI is looking for is some sort of "Magic" fix that will relieve them of the need to do real police work. Sorry boys, you'll have to leave the donut shop sooner or later.
    • Once they planted trojan to your computer they could
      do pretty much everything, not just keylogging. For instance they could encrypt your text in the manner it would be possible to decrypt it later.
    • Don't forget that the "un-connected" computer should probably be a laptop, and said computer should be stored in a secure safe or other equally secure place when it is not in use or in the immediate possession of the owner.
    • It seems to me that keeping Magic Lantern from working should be fairly easy for any terrorist who knows that much about it. [...] Once the (let's say) email is written and encrypted he puts it on a disk goes over to another computer hooked up to the web and sends it off.[...]


      This would work. In fact, this is exactly the method used by amazon.com in their (very) early days to "secure" their database of credit card information. Credit card info was stored on a separate, non-networked computer. Every morning, the names of customers who had placed an order since the previous day, would be saved to a floppy disk which was then physically "carried" to the database PC to be matched up against their credit card info. That PC then generated a list (on paper) of billing requests to be sent off to Visa etc. The only way to modify the database (to add a new customer or update a credit number) was to actually call Amazon.com, and get someone on the phone to walk over to the database machine and enter some SQL woopla.

  • Whee. (Score:5, Insightful)

    by dswensen (252552) on Thursday December 13, 2001 @02:20AM (#2697780) Homepage
    Once again the old adage proves true. If we fund fundamentalist, paramilitary, or resistance groups in far-off countries, they're "freedom fighters." If someone else funds them, they're "terrorists."

    If someone puts a trojan or virus on your machine to spy on you, it's "cyberterrorism."

    If the government puts a trojan or virus on your machine to spy on you, it's "domestic security."
  • Do not fear what they tell you they are doing. Fear what you are not being told.

    Does anyone really think that Magic lantern, or carnivore, or any other media whore flavor of the week is a truely serious concern? Yes, there are possibilities for backdoors to fall "into the wrong hands" But just what do *you* stand to lose? A piece of your freedom? yeah, that is a legitimate concern, however, was that a freedom you really had?

    Anyone who has had to deal with law enforcement with a computer-related incident loves nothing more than to howl about how woefully out of touch those in authority are. Then, when said groups make attempts at learning, the same folks go on half cocked screaming orwellian brave new world like lemmings.

    the one argument that keeps coming up is "if you have nothing to hide why are you concerned?" Well, if you have nothing to hide, odds are you'll never have to deal with software like this in the first place. they still need a warrent, they still need a reason to target you. There's a reason search warrents aren't mentioned in 1984.....

    Is there a signifcant risk to freedom at stake with recent legislation? There could be. Is there a dedicated group of individuals that want to run around screaming "brown-shirted nazi jackboot black helicopter Orwellian thought crime brave new thugs!" at the first mention of the FBI? Yeah. Any government agency concerned with the safety of the populace is going to end up on the wrong end of popular opinion anyway.......
  • /me unplugs cable modem and cowers in the corner in fear.
  • The one thing I take heavy issue with is the anti-virus companies decision to have the product that I paid to make sure unauthorized programs not run on my computer are letting this one in. To be honest, do I really need antivirus programs with all that I know now?

    I have a bbiagent.net router that I routinely check on. Several times my friends have brought over M$ machines infected with viruses, I would see them trying to connect to the router on goofy ports, then look up what viruses use that port and take the right action.

    What would be really nice is if the EFF or some similar organazation makes a blacklist of products infected with this crap. I don't think it would be too hard to detect, lots of smart people out of work with time on their hands now. More of us than the FBI, yeah coppers good luck!

    I would not buy a product nor subscibe to a service that allows access unauthorized by me. The rest of /. should do the same.
  • One solution is as follows... make a clear, concise statement that companies will refuse to run virus scanning software at all as long as the FBI's "virus" is allowed to roam free and unchecked.

    Then, watch as Melissa hits again and devistates the economy. Seem radical? Yes. But frankly, there comes a time when drastic steps need to be taken. Just think about how long it would take, in such a scenario, for the FBI to force the antivirus makers to update their software to clean things out... Short-sighted lawmakers may take away a citizen's freedom, but we still have the power to control what does and what doesn't happen in our government (well, with regard to the FBI).

    Maybe an open source anti-virus tool for Windows is a better idea... as long as the FBI's targets are protected the software will be useless.
    • by mikethegeek (257172) <{blair} {at} {NOwcmifm.comSPAM}> on Thursday December 13, 2001 @11:22AM (#2698876) Homepage
      Commercial antivirus companies have already bent over and prevented their products from showing COMMERCIAL spy-trojans on scan... (ie, the ones used to spy on employees)

      What makes anyone think they won't do the same for the FBI? Simply put, they will.

      The answer, of course, is free software. If we had a free software virus scanner/remover, that was completely open source, such tomfoolery would be impossible (so long as you knew how to read the code, or could get someone to do it for you, not that hard to do in the Linux community)

      Open source=accountability.

      This is why I'm concerned that this sort of thing will end up playing into Microsoft's hands, in getting an increasingly paranoid government, that is absolutely determined to outgun it's citizens in every aspect of life, to get free software made illegal..

      Imagine it being ILLEGAL to posess a true open source operating system because it would be the legal equivalent of having a private nuclear bomb.

      This is not so farfetched, as a networked computer that the government cannot monitor nor break into is as great a threat to our ever paranoid government AS a nuclear bomb in the hands of a private citizen. The precedent proof is in the fact that the government has made the ownership of weapons that would allow resistance to it illegal (had the same been true in 1776 the revolution would never have suceeded).

      I think all who value freedom should oppose a government from being able to impose restrictions on citizens that it will never place on itself, IE, the fact that the GOVERNMENT is allowed to have strong encryption, unhackable (or so they think) computers, networks, etc, to hide information, but that private citizens should not.

      How many crimes comitted by our government are hidden in encrypted files on government computers that will never EVER be discovered? Why should we trust a "justice system" that in the past decade has massacred more people without cause (Waco, Ruby Ridge) than at any point since the civil war?

      Unlike the days of Woodward and Bernstein, it's likely our government's worst crimes aren't written on paper to find, they are stored encrypted in a computer somewhere. Which means, unless the citizens are allowed to install trojans to go on "fishing" expeditions through our government computers, we will never know.

      But, as our government is saying to us, I'll say to them "if you've done nothing wrong, you have NOTHING to fear, right?"

      In this, the government is non-partisan. Janet Reno presided over those aforementioned massacres, and John Ashcroft is pushing the current horror. All the more reason to abandon our one-party Demopublicans and vote Libertarian.
  • Being board I've tried to click on all the news links provided in your story.

    Unfortunatly I can't find anything - in every browser [IE, Mozilla and Netscape] I get a "host not found" error...

    ... weird.

    But at least now when I say that they [Big Brother] are watching us I have proof and people won't say I'm crazy.
  • Think for a minute (Score:5, Insightful)

    by Stickerboy (61554) on Thursday December 13, 2001 @03:12AM (#2697872) Homepage
    Magic Lantern is nothing new.

    It's the networked computer-version of a phone wiretap.

    In both cases, permission to use either information-collecting method has to be authorized first by a court-order. From the article [news.excite.com]:

    When asked if Magic Lantern would require a court order for the FBI to use it, as existing keystroke logger technology does, Bresson said: "Like all technology projects or tools deployed by the FBI it would be used pursuant to the appropriate legal process."

    ...which is legalspeak for "Yeah, as long as wiretaps require court orders, so does Magic Lantern."

    I can't believe the number of posts comparing the introduction of Magic Lantern to a civil liberties meltdown getting +1 Insightfuls. They're about as insightful as the patriotic idiots who'd allow government agencies unchecked freedom to invade private citizens' lives in the name of antiterrorism.

    The citizens of the US have a responsibility to watch over the actions of its government, to serve as a check against the growth of abuse of power. Melodramatic statements like "Welcome to a Brave New World!" and knee-jerk antigovernment statements like "Trust the FBI to abuse this the minute they get it" merely serve to marginalize and decrease the credibility of those that speak out against government agencies becoming too unfettered.

    Am I afraid that Magic Lantern may someday be abused? Well, yeah, but I'm a lot more frightened by the potential abuse of "old-fashioned" things like the aforementioned wiretaps and unwarranted searches and seizures than I am of the FBI emailing me an easily detectable and easily deletable script or executable virus. Magic Lantern doesn't strike me as a shadowy menace so much as the amateurish nature of a government agency still in the first steps of dealing with a wired world.

    The key to preventing abuse by the FBI and other agencies is not by depriving it of tools to work with, such as wiretaps or Magic Lantern, but to ensure that adequate oversight exists and continues to do so in the future. Spending time and energy protecting and advocating the transparency and accountability of the FBI is infinitely more effective, and more likely to work, than seeking to deprive the FBI of intelligence-gathering tools to work with.
    • by Catiline (186878) <akrumbach@gmail.com> on Thursday December 13, 2001 @10:10AM (#2698486) Homepage Journal
      Here's the one counterargument for what you said:

      Power corrupts. Absolute power corrupts absolutly.

      And now let me expound upon that.

      I have a friend-of-a-friend story: a friend of mine is a lawer who defended a client accused of a computer crime- namely, running p0rn and selling 'services' on the 'net. When the police (Atlanta, GA- local mind you) raided his house, they took everything. Incuding, for no reason whatsoever, his pickup truck. And then auctioned said truck off. Before he was proven guilty in a court of law- before, even, he went to court. In total defiance of the constitutional protections against unreasonable search and seizure. And this was doubly unreasonable as a) they had no reason to sieze his vehicle and b) the had no right to sell it before his guilt was determined.

      So if you want to say something sensible and levelheaded like "ensure that adequate oversight exists", keep in mind that the overseer needs to know about the issures involved. And when they don't, any amount of oversight won't do anything to stem corruption. Because I'm sure as sure can be that the goverment has sharp oversight over the local police departments, but yet that didn't stop this from happening. I don't even want to think about what the police really do in cases of phone tapping.
    • by e_lehman (143896)

      When asked if Magic Lantern would require a court order for the FBI to use it, as existing keystroke logger technology does, Bresson said: "Like all technology projects or tools deployed by the FBI it would be used pursuant to the appropriate legal process."

      ...which is legalspeak for "Yeah, as long as wiretaps require court orders, so does Magic Lantern."

      Baloney. If that's what he meant, he would have said, "Yes". In fact, this is doubletalk for "no". The FBI wants to do this with only a warrant (easily obtained) instead of by seeking phone-tapping permission (much harder).

  • by macmouse (525453) on Thursday December 13, 2001 @03:26AM (#2697906) Homepage
    Why hasn't anyone thought of this before?..

    Its a bit insane but think about it..
    This would ideally be applied to jxtra (www.jxta.org) - suns peer to peer protcal layor (different things can be put ontop, like a web browser, a IM message,file sharing, etc).

    Have the a key/checksum on the file itself. Then to authenticate, connect to the p2p network. Each host would have their own UNIQUE key. The longer a machine is up the more trust. Nearby machines get the key as well.

    So, to authenticate the program goes and finds a bunch of random machines, asks what their keys are and what the key is for the package file. Then, you check the machines keys with other machines to make sure they can be "trusted". This would be a cross between the gpg signing "web" and p2p networking.

    So the machines that have been on longer can be trusted more. This is to prevent a machine at the isp to generate new keys on the spot (or use the same one over and over again). It would have to be around for a resonable amount of time (24 hours?).

    So each time you check package x, at random a series of "hosts" are asked what their checksums are for package x. For the paranoid, could add some route/different isp checking as well. Let say it asks 20 machines. If all match, then odds are pretty good its correct. Also, each host's key would have to be unique and "trusted". Then you can go out onto 100's (even more?) of hosts to check.

    True, (in theory) it would be possiable to fiter for those specific requests, generate a seperate key for a bunch of ip's RANDOMLY and have them authenticate with each other, but that would be quite difficult. In order to do that, they would essentially have your connection severed from the net, with no direct path and on a "virtual" network, in which case your screwed anyway.

    It isn't the most efficent way, but probably about as secure as you could get. Well, without being the govenment itself ^_^.
    • So a file gets heavily validated. Big fucking deal. That has nothing to fucking do with a keylogger on your system watching out for your damn key password. I can go ahead and encrypt shit with 2^bajillion bit encryption but if somebody is watching me type my password over my shoulder it isn't going to do much good. Especially if it's a trojan on my system that watches me type in my private key password and uploads a copy of my private keys to somebody.

      Having the checksum on the file itself is a bit ridiculous because if there's a trojan filtering stuff between me and the rest of the network it can easily strip the checksum off the file, change it, then add its own checksum. It will validate but it won't have the original checksum that you thought it had. No matter where it propogates it'll have the fucked up checksum. You've also got to be able to handle the event of half of the machines don't validate your file. What then? Half of the systems say it works and half don't, who do you trust then? Say with that system I write a quickly propogating virus or trojan that makes checksum requests fail. Who then do you believe when you're authenticating your file?
  • An analogy (Score:5, Insightful)

    by Stickerboy (61554) on Thursday December 13, 2001 @03:38AM (#2697928) Homepage
    Arguing that the FBI should be unable to develop Magic Lantern is almost exactly the same as law enforcement agencies arguing that private citizens should not be allowed to access strong encryption.

    In both cases:

    • the argument hinges on the assumption that the party in question will abuse the technology (which is to some extent true, criminals will abuse encryption technology to hide evidence, just as there will be at least one or two cases of the FBI overstepping its bounds with Magic Lantern).

    • the technology for [encryption, Magic Lantern] exists, and is widely available, so trying to outlaw its existence and use by the [criminals, FBI] is pretty futile.


    Writing letters to your representatives and starting petitions about strengthening the oversight mechanisms over the FBI makes a lot more sense, just like the FBI using other methods to gather intelligence on criminals makes more sense than banning strong encryption.
    • Re:An analogy (Score:3, Insightful)

      by GigsVT (208848)
      The bill of rights enumerates some of the main rights that are retained by the people.

      It grants no rights to government. There is a reason for that. Think about it.

      Yes, it is a double standard, but that is the way our founding fathers made it, because they knew it was necessary.
  • by Katravax (21568) on Thursday December 13, 2001 @03:46AM (#2697946)
    This post will probably never be seen since I'm a latecomer to the conversation, but I knew a fellow a few years back that would never be affected by a keylogger. His method would work for bypassing any keylogger, but would probably be most useful to touch-typists as a way to not use the keyboard for entering passwords.

    He claimed he was a terrible typist. I couldn't tell though, because he didn't touch the keyboard. He would literally copy and paste every character he entered. While this would be tedious for all typing, it strikes me that would be a good way to enter passwords if you're concerned about a keylogger.

    That generally wouldn't work for whole-system logins, but it would work for encrypted files and other "lesser" logins. Copy a letter from this page, a letter from that, paste it in your password box, and I doubt seriously even a macro recorder could follow what you're doing.
  • by Boiling_point_ (443831) on Thursday December 13, 2001 @03:58AM (#2697969) Homepage
    I've been browsing at +2 so sorry if someone else has mentioned this already.

    I am Australian. I use American antivirus software. There is no indication that Symantec or McAfee are going to protect their Australian consumers from the American government.

    Most of this discussion has centred on the FBI invading domestic computers. I am more concerned, not personally, but ethically as a global citizen, with the CIA or another US body using this technique to invade my country's rights.

    I have no recompense, short of diplomatic channels, or through whatever (uberexpensive) international anti-espionage laws , at stopping this.

    Magic Lantern is a very blunt intelligence instrument. Right now (and the irony is NOT lost on me) all I have to be thankful for is that my sychophantic Prime Minister has been licking Dubwya's scrotum so much lately that Australians are probably far down the list of suitable intelligence targets.

    • Exactly what I'm moderately worried about. Why should the US FBI be able to check my computer, just because I use a (likely) American (otherwise British) version of Windows on my PC?

      Can I sue the US Government for privacy infractions and computer crimes if I find this program on my PC? Can my government sue the US Government for the same?

      all I have to be thankful for is that my sychophantic Prime Minister has been licking Dubwya's scrotum so much lately that Australians are probably far down the list of suitable intelligence targets.


      Don't worry, noone will ever accuse Australians of having any intelligence to target.

      *rimshot*
  • If the Antivirus software does not stop this "virus" they won't in other countries as well... Is this another "USA is the world police" thingy?
  • I don't really see the problem with the AV vendors overlooking ML. No, I'm not mad - bear with me for a moment:

    First - think about how AV software works. It usually scans a file when it's accesed for certain known patterns - the virus signatures. Every virus/trojan/worm have their more or less unique signature which is used to identify it. So, when AV vendors say they won't detect it they software is not deliberately letting ML through - the software just will not have a signature for ML, and therefore it won't be recognized as a trojan.

    This is not a hole.

    It's just how antivirus software works - looking for known malware patterns.
    Now, if I were to make my own personal Magic Lantern, I could theoretically modify FBIs software, or write my own. They will both be equally undetectable. Now, when certain AV vendors say the won't look for ML it is in fact good - because they are open about it. You KNOW their software won't detect it, and if you feel threatened by it you are free to change vendor and add in additional layers of paranoia (Firewalls, IDS, tripwire).
    If we are going to hate AV vendors for something, we could just as well blame them for not including anti-spyware in their signature files. They have overlooked this specific kind of malware for years, and not many have raised their voices about it.

    I'm more scared of the methods they intend to infect their targets - pushing ISPs into modifying data as it arrives at the victim's computer is just plain scary.

    Then again, it's FBI we're talking about. For the most part they play by the rules. And if you're really so scared about Magic Lantern, you should be scared about phone wiretaps and Tempest too. They are all equally privacy-invading technologies, but very few of us encrypt our telephone calls or install lead-walls to protect our privacy.

    I'm not saying that Magic Lantern is a good thing (it's not), but the AV vendors are not trying to make a gaping hole in you computer, and shouldn't be accused of such things.
  • Have an antivirus company move a large part of its assets into banks in one or more countries other than its home country.

    Give a lawyer in each country bank account number and legal duty to withdraw all the money when it has been proven that that company has been compromised. The lawyer must open a new bank account for a competitor who has never been compromised.

    Something tells me we will end up pretty quickly with a well-funded open source antivirus company!
  • by HuskyDog (143220) on Thursday December 13, 2001 @09:20AM (#2698337) Homepage
    If I download and install the NSA's Security-Enhanced Linux [nsa.gov] (having checked the source carefully for back doors) am I then safe from Magic Lantern?

    It seems to me that sooner or later these two government projects are going to come into conflict and it will be very interesting to see who comes out on top.

  • by CoreDump (1715) on Thursday December 13, 2001 @01:22PM (#2699506) Homepage Journal
    I'd think that this type of behavious by the government is more akin to that of Orwell's _1984_ than to Huxley's _Brave_New_World_.

    Now, if they ( the ever ubiquitous "they" ) were putting drugs ( got soma? ) into the water, then it'd be more similar to BNW, but instead it's the Government furthering it's ability to monitor the activities of it's citizen's, which strikes me as much more Orewllian.

    Okay, back to your regulary scheduled MS sucks/Linux rules/I hate Katz ranting.

    Remember, "a gramme is better than a damn!" :)

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...