The Secret History of the FBI's Classified Spyware 133
An anonymous reader writes "A sophisticated FBI-produced spyware program has played a crucial behind-the-scenes role in federal investigations into extortion plots, terrorist threats and hacker attacks in cases stretching back at least seven years, according to newly declassified documents obtained by Wired.com. The so-called 'computer and internet protocol address verifier,' or CIPAV, is delivered through links to websites controlled by the FBI, and it silently reports back to a government server in Virginia. Among other cases, the FBI used it to track a Swedish hacker responsible for cracking thousands of computers at national labs and NASA's JPL in 2005."
The Ends Don't Justify The Means (Score:5, Insightful)
How is this not breaking the law?
Breaking the law to enforce the law.. way to piss on justice.
Re:The Ends Don't Justify The Means (Score:3, Insightful)
In the same way that police regularly assault, kidnap or otherwise harass citizens?
Look, I'm not saying I disagree with you, but you need to refine the ethics of your argument a bit if you want to make a useful point. Unless you were just hoping to bash out something that sounded relevant in order to FP...
Re:The Ends Don't Justify The Means (Score:4, Insightful)
"How is this not breaking the law?
Breaking the law to enforce the law.. way to piss on justice."
I've always been skeptical about this and other tricks used by the FBI and other law enforcement. The Constitution is QUITE clear that a search of private property requires a warrant.
Another thing that has always bothered me is that law enforcement lying to citizens is routine and legal, but lying to law enforcement is a crime (even if you don't know the person you are talking to is law enforcement).
Seems to me that if the government wants us to respect the FAR too many laws on the books that it should start following them itself. And that starts with respecting the Constitution.
Re:RIAA software (Score:5, Insightful)
"FTA :
"After sending the information to the FBI, the CIPAV settles into a silent "pen register" mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every server to which the machine connects. "
Let's hope the RIAA doesn't get it's hands on this."
What I'd like to see is an open source antivirus/antispyware suite that WILL detect this. I own my computer, not the government, therefore I have a right to know what is running on it and to decide what is and isn't going to run on it.
I don't think it is any of the government's business what websites I go to, what blogs I post on, and for that matter, what porn I download.
Given some of the scary things coming out of the "O"ministration lately (such as the recent homeland security advisory painting people who support the right to own firearms and who object to the outrageous spending going on as "rightwing extremists" and "potential terrorists" I think I and others have a legitimate fear that we may be targeted for such spyware for political reasons.
That's why I opposed and still oppose the patriot act... Not because I am against going after the actual JIHADI terrorists who have and are attacking our country, but because government abuse of it and turning it on law abiding citizens was inevitable.
Note that Obama isn't doing anything to repeal the patriot act (which he used to object to). He wants that power just as much as Bush did.
Re:The Ends Don't Justify The Means (Score:5, Insightful)
So if they obtained court authorization to deploy Sarin gas that'd be ok too right?
Wow, hyperbole much? How is installing software on someones computer with court authorization to monitor their behavior any different from using the warrant to obtain a wiretap or using it to search their home and possessions?
Re:RIAA software (Score:3, Insightful)
What I'd like to see is an open source antivirus/antispyware suite that WILL detect this.
Actually if you aren't an idiot about it and have proper security settings/practice this thing would never have gotten installed in the first place......
I don't think it is any of the government's business what websites I go to, what blogs I post on, and for that matter, what porn I download.
It is if you are under a court approved investigation for something.
Given some of the scary things coming out of the "O"ministration lately (such as the recent homeland security advisory painting people who support the right to own firearms and who object to the outrageous spending going on as "rightwing extremists" and "potential terrorists" I think I and others have a legitimate fear that we may be targeted for such spyware for political reasons.
That is a legitimate fear -- which is why we have warrants and a judicial system. But to say that this software can't be used at ALL is a bridge too far, IMHO. Would you complain if the FBI installed this spyware on Tony Soprano's computer?
Note that Obama isn't doing anything to repeal the patriot act (which he used to object to). He wants that power just as much as Bush did.
Of course he isn't. Every President since Washington has tried to expand Executive power. Anybody who seriously thought Obama would be any different drank too much of the change kool-aid. Hell, I wasn't even delusional enough to think he would change this trend even back when I supported him.
Re:Linux version? (Score:4, Insightful)
In a separate February 2007 Cincinnati -based investigation of hackers who'd successfully targeted an unnamed bank, the documents indicate the FBI's efforts may have been detected. An FBI agent became alarmed when the hacker he was chasing didn't get infected with the spyware after visiting the CIPAV-loaded website. Instead, the hacker "proceeded to visit the site 29 more times," according to a summary of the incident. "In these instances, the CIPAV did not deliver its payload because of system incompatibility."
Seems like the FBI exploits browser vulnerabilities a la the Pwn2Own contest in order to deliver CIPAV, but CIPAV itself might not run in linux. I suspect that the FBI will have written a linux-compatible CIPAV after the quoted incident. Probably a bash or perl script so they don't have to worry about different architectures.
On a side note, there was probably some good porn on that page for the hacker to load it 30 times.
But if it works based on clicking links... (Score:2, Insightful)
CIPAV, is delivered through links to websites controlled by the FBI, and it silently reports back to a government server in Virginia.
But if it works based on clicking links that presumably take you to the installer, how on earth can you guarantee that your target is going to click on it at all? You'd either have to direct it specifically to the Mark, and hope that he responds, or you'd have to put it someplace so completely mainstream that hundreds of other people click on... oh, shit. I think I'm having an OS reinstall party this weekend.
Re:The Ends Don't Justify The Means (Score:3, Insightful)
It seems that the vast majority of citizens don't understand the concept of Constitutional law, or that by adherence to the supremacy of The Constitution, The People should be protected by the law, from their government. too bad, so sad.
Re:The Ends Don't Justify The Means (Score:3, Insightful)
Indeed, but they did not obtain court authorization to use it against members of video hosting sites outside of the US 5 years ago. They just used it.
Re:The Ends Don't Justify The Means (Score:3, Insightful)
Well, the Constitution doesn't protect people who are not US citizens and in different countries...
Re:The Ends Don't Justify The Means (Score:3, Insightful)
Read the article. They went through the courts. However the fourth amendment not only requires a court order it requires that the search be limited in scope in duration. That's why AT&Ts indiscriminate monitoring of all users traffic is a violation of the fourth amendment even though it was court ordered.
Re:The Ends Don't Justify The Means (Score:4, Insightful)
How is installing software on someones computer with court authorization to monitor their behavior any different from using the warrant to obtain a wiretap or using it to search their home and possessions?
I think the problem is that they posted the monitoring tool to a website where anyone could come across and get infected and get monitored.
In those instances, there was no prior suspicions that is needed for a warrant. You cannot randomly search 100 people's houses hoping to find a criminal the same way you can't put software out there to find out whether or not these people are the criminal.
In fact... TFA says the FBI agent was disappointed when the person they hope to infect was not infected so I'm assuming others were who were not the target of the warrant.
Re:The Ends Don't Justify The Means (Score:3, Insightful)
"How is this not breaking the law?
Breaking the law to enforce the law.. way to piss on justice."
Actually, when you think about it, the police regularly break the law to uphold it. Look at how they catch speeders: They usually have to speed themselves to catch up to the speeder in order to pull him over, or they even might just tail behind a speeder for a while and clock him with their own speedometer - thus breaking the law themselves by speeding themselves.
To a degree, in general, law enforcement has to operate a little outside the law, at times, to do the job. At times. I'm not saying give them carte blanche or anything stupid like that, but they require some slack, here and there, or the goal would likely be impossible to achieve.
Is the furor over this system they deployed, or over the matter of obtaining warrants to use it? Without such a system, they'd be relatively crippled in their ability to catch real net criminals and cyber-terrorists, and if they failed in that endeavor, everyone would just bitch about how useless they are, why aren't they doing something about crime, etc.
It seems lose-lose no matter what "they" do - either they're going to be accused of being ineffective at stopping crime/terrorism, or accused of stomping on everyone's rights, even when they follow the protocols and procedure.
If there are better alternatives, what are they?