Forgot your password?
typodupeerror
Security

FBI Confirms Magic Lantern Existence 461

Posted by chrisd
from the aldous-would-be-proud dept.
The_THOMAS (and many others) writes: "A day after major anti-virus firms waffle on their support for 'Magic Lantern', and nine days after Thomas C Greene of The Register tried to throw cold water on it's existence, the FBI Confirms the 'Magic Lantern' Project Exist. Welcome to a Brave New World!"
This discussion has been archived. No new comments can be posted.

FBI Confirms Magic Lantern Existence

Comments Filter:
  • ITS (Score:2, Informative)

    by Building (6295) <building&bumba,net> on Thursday December 13, 2001 @01:04AM (#2697503) Homepage
    ITS ITS ITS ITS ITS! NOT IT'S! AAAAAAAAGH! http://angryflower.com/bobsqu.gif [angryflower.com]
  • by ShaunC (203807) on Thursday December 13, 2001 @01:26AM (#2697603)
    The first time I went to Windows Update, I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine.
    So what happens if Microsoft allows Magic Lantern to be bundled inside the next .cab you get from windowsupdate.com - which, of course, is signed by Microsoft? You raised the point that ISPs tend to bend over, so you can't rule out the possibility that Microsoft might do the same.

    Shaun
  • by webwench_72 (541358) <webwench_72.yahoo@com> on Thursday December 13, 2001 @01:28AM (#2697617) Homepage
    Why were they honest about it now? Simple: this is the best political climate the FBI could have asked for to reveal something like this.

    Surveys show that most people, given the 9-11 attacks, are more than willing to trade freedom for security.

    "A recent ABC/Post survey found two out of three people expressing willingness to surrender 'some of the liberties we have in this country to crack down on terrorism.' Cole attributes this not only to a heightened concern for safety, but to the fact that the majority are not generally affected--that is, it's not their relatives being detained and questioned." (Taking Liberties: Fear and the Constitution [prospect.org])

    "At times like this, a democracy must balance its need to protect itself with the freedoms that define it. Last week's terrorist attacks have raised the debate pitting homeland defense against civil liberties to a level not seen since World War II." (For now, security trumps liberties [csmonitor.com])

    "From the very first surveys after the World Trade Center and Pentagon attacks, most Americans told pollsters that the country would have to give up some rights to fight terrorism (79 percent in a CBS/New York Times poll in September). A Gallup survey conducted Nov. 26-27 found six in 10 Americans who said the Bush administration has been 'about right' in its limits on civil liberties, as opposed to 10 percent who said the administration had gone too far and 26 percent who think it hasn't gone far enough." (Public Supports Domestic Crackdown on Terror [publicagenda.org])

    After all, if you're innocent, what do you have to worry about anyway? :grin:
  • by seifried (12921) on Thursday December 13, 2001 @01:35AM (#2697641) Homepage

    Most major vendors (with the notable exception of Debian =( ) sign packages using GNuPG. You can check these signatures using rpm. There is no need to get Eric raymond to sign stuff (and he's supposed to read all the source code, then build all the packages on his own machines? excuse me?). I suggest reading the following two security advisories, which point out some mistakes that have been made, and one possible attack, but also largely corrected by vendors, and can be easily verified by users with minimal effort.

    Devil in the details - why package signing matters [seifried.org]

    Red Hat 7.2 GnuPG signed RPM verification fails on distribution files [seifried.org]

    RPM PGP/GnuPG verification bug [seifried.org]

  • by Tackhead (54550) on Thursday December 13, 2001 @01:38AM (#2697656)
    > I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine. Even if the FBI forces Verisign to issue an impostor certificate, it will be detected and thwarted.

    You, sir, are not merely a troll, but an expert troll, and I applaud you for a job well done! Thanks for the best laugh I've had this thread.

    References: Slashdot article: Don't Trust Code Signed by 'Microsoft Corporation' [slashdot.org]

    Microsoft bulletin detailing story of VeriSign issuing two Class 3 code-signing digital certificates to an individual fraudulently claiming to be a Microsoft employee: Erroneous VeriSign-Issued Digital Certificates Post Spoofing Hazard [microsoft.com]

  • by Anonymous Coward on Thursday December 13, 2001 @01:38AM (#2697659)
    I wish more people would actually read Huxley's "Brave New World" before applying that phrase everytime government gets a little out of control.

    Seriously, "Magic Lantern" and all the other privacy-invasive technologies used to snoop on private citizens are still a far cry away from the world of "Brave New World." After all, we still possess enough of our wits to question whether these steps are necessary, legal, and ethical. The folks in "Brave New World" didn't even go that far.

    We are much closer to Orwell's "1984" then we are to "Brave New World." And I'm not sure which is the more frightening.

    In 1984, the government had to force people to behave using the classic methods of tyranny. In Brave New World, the citizens were kept so damn happy that they would never question that the government didn't have their best interest in mind, regardless of what it did.

    Remember: in 1984, our protagonist was someone from withen the society who began to realize what a living hell he was in and began to try to do something to better his condition. In brave new world, our protagonist was someone how came from outside of the society, having been raised on a "reservation". It was only because of this distance from the reality of the "Brave New World" society that he was able to see how awful it truly was.

  • by Some Dumbass... (192298) on Thursday December 13, 2001 @02:00AM (#2697721)
    As a matter of comparison, my Windows 2000 box has no such vulnerability. The first time I went to Windows Update, I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine. Even if the FBI forces Verisign to issue an impostor certificate, it will be detected and thwarted.

    Why can't the FBI use Microsoft's real certificate? Why wouldn't Microsoft work with them? Are you so certain that "always trust content from Microsoft Corporation" is such a good idea?

    Even then, the code which checks a newly-downloaded package against the MS certificate is on your computer, right? It could be modified by anything (say, a virus) which had the right permissions to do something different, like checking against a certificate on microsoft.fbi.com, correct? Perhaps this will be the next "I Love You" payload (or the last one).

  • by Tackhead (54550) on Thursday December 13, 2001 @02:07AM (#2697746)
    > I don't want the FBI knocking down my door because they read an email I wrote saying that I disagree with John Ashcroft's latest violations of the Constitution.

    (Flippant answer: "Look, it's the Fourth Amendment we're getting rid of, not the First! Get yer Amendments straight, duuuh!" ;-)

    But I think that deserves a serious answer, and since it's the Constitution you're so worried about, I'll have at it.

    Ashcroft's actions are highly constitutional. He's fulfilling his obligations as part of the Executive Branch as specified in the Constitution, namely to use the powers granted to him by Congress to fulfil his mandate. Once something gets passed by the Legislative branch, it's law, and the Executive is obliged to work within the (ever-shifting confines of the) law until the Judicial branch (after due prodding) says it did otherwise.

    So if you have a beef with the changes going on lately, it's with your Congresscritters for passing bad law.

    But please, if you're gonna go Constitutional on us, don't trash the Executive for doing what the Constitution says it has to do -- namely doing the things your representatives in the Legislature told it to!

  • by Auckerman (223266) on Thursday December 13, 2001 @02:12AM (#2697759)
    "That's like telling a cop that you refuse to give him access to your home to search it without a warrent. All you're doing is causing a bigger hassle for yourself."

    You are under the misguided beleifs that:
    1. Only guilty people exercise their right to privacy
    2. Only guilty poeple have items seized as evidence upon a voluntary search.

    Lets say for example, the FBI knocks on your door saying they suspect someone has been sending death threats to the president from your computer. They are mistaken. They want in to "look around" and walk out with your computer. Good luck getting it back, cause it will be in a "evidence" vault till you die, regardless of innocence or charges being sought. They could do that with ANY item in your house that MIGHT be tied to the crime and odds are you won't get it back, ever.

    Reminds me of a county n Texas, all traffic violators were searched and anything that the searchers thought was "drug related" was seized. Well, a buisness man was speeding though said county, pulled over and lost 10-15K (I don't remember the exact figure) in cash he was taking to his son as a loan, all of which he could prove was legally earned. He ended up sueing, and getting little more than half of it back.

    So, my legal advice to you (IANAL-Lawyer) is to NEVER ever for any reason let any cop search any of your property, unless they have a court approved warrent.
  • by mwalker (66677) on Thursday December 13, 2001 @02:31AM (#2697801) Homepage
    Expert troll he is, but sadly a little too expert this time. Microsoft can issue false Verisign certificates till the cows come home, but if you only ever trust the one shipped with your computer (like the troll said) then no matter how many other packages signed by "Microsoft Corporation" show up at your computer, you will never install them. If you only trust that one certificate, then someone attempting to trojan your machine must get their trojan signed by the master Microsoft Verisign key. His argument hinges on the assertion that Microsoft would never sign a government trojan.

    So basically, he was right, and you were wrong.

    Wait, who's the troll again?
  • by Anonymous Coward on Thursday December 13, 2001 @03:46AM (#2697944)


    Actually, you are incorrect. The protagonist of Brave New World, Bernard Marx, was an unusually ugly man for his class, who began to question the ethics, methods and politics of his government from the inside, and requested that he be given access to a reservation for curiositiy's sake. It is once he has seen the harsh reality of everyday life on an unsheltered reservation(and henceforth what the drug addled happiness of his world does to its inhabitants), that he finds his life irreconcilable and hangs himself.

    I wish more peole would read Huxley's "Brave New World" before complaining about not enough people reading "Brave New World" before applying that phrase everytime government gets a little out of control. :)

  • Re:Unacceptable. (Score:2, Informative)

    by innocent_white_lamb (151825) on Thursday December 13, 2001 @03:46AM (#2697945)
    Get a warrant. I'll show you anything you want to see,

    that's listed in the warrant. Don't get a warrant to search my workshop and then decide to search my house while you're here.
  • by Anonymous Coward on Thursday December 13, 2001 @05:48AM (#2698041)
    First they came for the Communists, but I didn't say anything because I wasn't a Communist.
    Then They came for the Trade Unionists, but I didn't say anything because I wasn't a Trade Unionist.
    Then they came for the Jews, But I didn't say anything because I wasn't a Jew.
    Then They came for the Catholics, but I didn' say anything because I wasn't Catholic.
    Then they came for me, and nobody spoke because nobody was left.
    Reverend Martin Niemoller
  • by muffen (321442) on Thursday December 13, 2001 @05:53AM (#2698051)
    > I thought that the antivirus companies had AGREED to NOT make their programs detect "Magic Latern"???

    No! You, like so many other people, didn't read the quotes well enough. To start with, everything was hypothetical (and that was made clear in the articles). All AV vendors were saying that they had not been contacted by anyone from the FBI, and the all also said that they did not know if there was a thing like Magic Lantern.

    Now, some people in Network Associates and Symantec said that if the FBI gave them a copy of Magic Lantern, then they would avoid detecting it (I'm asuming using an MD5 sum or something similar so hacked versions won't escape detection).

    Later, "higher" people in the same companies said that they WOULD detect magic lantern.
    If we asume that the internal communication issue has been resolved and this has been discussed internally, the latter statements are probably the ones that will be followed.

    End conclusion, AV programs WILL detect Magic Lanter if they get their hands on it.
  • by mcarbone (78119) on Thursday December 13, 2001 @06:02AM (#2698068) Homepage
    And anyway, the phrase originally comes from Shakespeare's The Tempest:

    "Oh brave new world, that has such people in it."
  • by CdotZinger (86269) on Thursday December 13, 2001 @08:05AM (#2698222)
    ...that has such people in't!" --Shakespeare

    In case you couldn't tell, he was being sarcastic.

    Huxley's book derives its title from a scene in The Tempest, in which Miranda, upon meeting a bunch of royal bad guys--whom she naively perceives as regal, not as the bunch of usurping, murderous scum they really are under their shiny hats--says "O wonder! How many goodly creatures are there here! How beauteous mankind is! O brave new world that has such people in't!" to which Prospero--sad cynic, curmudgeonly nihilist, all-around smarty-pants, exiled in a world of criminal dipshits--says "'Tis new to thee."

    Not an inappropriate sentiment, in this case.

    But of course you knew that.

  • by 4of12 (97621) on Thursday December 13, 2001 @12:08PM (#2699116) Homepage Journal

    make sure the publisher's public key is really the publisher's

    Aye, there's the rub!

    It really takes an independent confirmation route to verify the veracity of some random downloaded package.

    It galls me to no end seeing a download site providing "one-stop" authentication: here's the package, here's the signature, here's the key!

    Proving identity and authenticity in this kind of environment would be improved if there were multiple authorities for one to use. Anything else subjects you to the risk of living in Dr Morarty's HollowDeck, if you remember that particular episode of Star Trek TNG.

    The network downloaded packages have to be verified independently, using

    • public keys burned on the CD distro you bought for cash, on impulse, in a random location,
    • additional public keys on floppies that you wrote from an entirely different computer and network connection,
    • phone calls verifying fingerprints of keys
    • many, many open certifying authorties that are not run by governments or corporations with vested interests that would be harder to compromise en masse,
    • users that are less inclined to sacrifice security for convenience
    Nothing is perfect, but you can tighten things down to the point where your spoofability risk is less.

Don't steal; thou'lt never thus compete successfully in business. Cheat. -- Ambrose Bierce

Working...