What We Know About the FBI's CIPAV Spyware

StonyandCher writes "What is CIPAV? CIPAV stands for 'Computer and Internet Protocol Address Verifier'; a lengthy term for powerful spyware the Federal Bureau of Investigation can bring to bear on web-based crime. It was used last month in a case where someone was emailing bomb threats regularly to a Washington high school. An affidavit by an FBI agent revealed some of the workings of CIPAV. 'According to the court filing, this is [some of] what the CIPAV collects from the infected computer: IP address, Media Access Control address for the network card, List of open TCP and UDP ports, List of running programs ... Last visited URL. Once that initial inventory is conducted, the CIPAV slips into the background and silently monitors all outbound communication, logging every IP address to which the computer connects, and time and date stamping each.' In a Computerworld article, the author attempts to dissect CIPAV's purpose and raises a number of questions such as: What happens to the data the CIPAV collects? Does the CIPAV capture keystrokes? Can the CIPAV spread on its own to other computers, either purposefully or by accident? Does it erase itself after its job is done?"

does it...

[russ1337]

What happens to the data the CIPAV collects? Does the CIPAV capture keystrokes? Can the CIPAV spread on its own to other computers, either purposefully or by accident? Does it erase itself after its job is done?"

Does it run on Linux?

sorry, couldn't help myself.... but seriously..... does it?

Re:does it...

[HaeMaker]

Let's find out...

"Mr. Gman from Quantico, VA has sent you an eGreetingCard from Flowers By Irene! Just open this P.D.F. file to view..."

Re:

[TWX]

Does it run on Linux?

Even if it does, if you find one of those last-generation Motorola 68000 machines and compile your entire OS from scratch I doubt that they'll have a binary-compatible version to install on it...

Of course, be prepared to have one SETI@Home packet take about four weeks to process, and to have a bogomips rating of something like 16.9...

Re:does it...

[OrangeTide]

insert a new system call in the middle of your syscall list, and recompile everything for it. it will break all static binaries and shell code :)

My Sparc Classic would takes minutes to establish an SSH2 connection. those big keys take a while, SSH1 was nice and fast. (50MHz no cache, no FPU)

Re:

[Bluesman]

That's a cool idea, but wouldn't it only break shell code that called syscalls after the one you inserted? Shouldn't you put the new one at the very beginning?

IIRC, execve() is syscall #11, so wouldn't your inserted syscall have to be before that to do prevent shellcode from executing arbitrary commands?

Re:

[OrangeTide]

sure. you ought to put it to break things like clone, execve, socket, open, etc.

you could even be worse and just shuffle them around randomly.

Re:

[mpapet]

My desktop distro-of-choice doesn't allow exec privileges to email attachments. They'd have a problem with my browser if they sent an evil url too.

You bring up a good question with a very practical answer. This software was developed like all software, with time and budget constraints. If it's home-grown or COTS it definitely does the bare minimum so the fear mongering is likely unfounded. That is, until version 2.0. Aaaahhhh!!!

Re:does it...

[GrumpySimon]

That is, until version 2.0.

oh no - it's going to have Ajax and a drop shadow!

Let's check...

[Jeff Carr]

$sudo apt-get remove cipav
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package cipav

Whew, safe!

Re:

[bhtooefr]

Actually, I hear there's surprisingly good support for ThinkPads (go figure,) and the OS/2 nuts just keep porting all the interesting stuff from Linux back to it.

Also, you can purchase vendor [ecomstation.com] support for OS/2, as well.

That said, I'll stick with Ubuntu.

Re:

[RLiegh]

So...why not just use Linux then? Why bother going through all of the bother of sticking to antique cards and porting applications over from Linux when you could simply just install Linux.

This isn't 1994, there really isn't any advantage to running OS/2 instead of Linux or BSD or hell, even Solaris.... (all of which are free, and all of which are more current than the long-abandoned OS/2).

Re:

[jwo7777777]

You say that out of shear ignorance.

Better than tensile or compressive ignorance.

Re:does it...

[dgatwood]

Mod parent down. SELinux is support for more fine-grained rights management in Linux. It's a mandatory access control policy system, basically. Unless parent has proof that there is a back door in there somewhere, I'm pretty sure parent is full of it.

Just because the software is partially paid for by the government, it does not necessarily follow that it's a back door. Take off the tinfoil hat.

This is Slashdot, people!

[TheVelvetFlamebait]

Since when did we ever let little things like evidence or common sense get in the way of a nice bit of conspiracy theorising?

Re:

[ozbird]

I can't believe they still fall for that one... Tinfoil hats are antennas designed to increase the reception of mind-control beams, not block them.

What about zombies?

[Reziac]

What happens when zombied computers are used to email such threats? who gets the blame in that case? How do you distinguish the innocent zombied-user from the trojan or virus? Would being infected constitute defense? If so, how do you prove intent??

So many questions raised by this... I'm sure others can think of many more.

Re:What about zombies?

[toleraen]

I think the obvious question would be "How does it get installed?"

Re:

[Reziac]

How do you prove that you're the innocent victim of a zombie installer, vs. having surreptitiously zombied your own machine? the installer works the same way regardless, and ISTM it's not too difficult to determine and target your own IP address. (Or for that matter, for the gov't to do so.)

Point being, I'm wondering just how solid this evidence really would be in the eyes of the courts, with or without tech-savvy judges and lawyers.

Re:What about zombies?

[toleraen]

I was referring more to the question of how the FBI installs the software on your machine. For some reason picturing a guy in a black suit wearing dark sunglasses sending "OMG Pony Screensaver Inside!!1" emails doesn't cut it. If they're going for computer evidence, it seems likely that their targets would be a bit more computer literate: more up to date on patches, firewalls, etc.

Otherwise, who knows. Maybe their software has to wipe out other possible malware to be effective (wouldn't want that data they're collecting, or even the software they installed going overseas, right?). You'd hope that they would have to show that it was someone typing out the emails locally vs. remotely. But then, who's to say it wasn't the person's little brother writing the email? It doesn't seem like they'd have a lot to stand on...there should be a lot of supporting evidence going with what they collect with that software.

But in the end, don't they pretty much just have to say "We're the FBI. That's what happened." anyway?

Re:

[AmberBlackCat]

My guess is a Windows Update or whatever the Mac and Linux versions are. So everybody's probably already got it, waiting to be activated.

Re:

[Anonymous Coward]

1) re: duration of evidence kept:

This is either a troll or a rhetorical question.

Why would they need to erase it? how could you prove they didn't delete it?

I remember sitting in a Computer Law class in the early 80s. One of the things which arose (aside from writing briefs which the chair from the department and a group of landsharks would pick pieces apart & continue until it looked reasonable) One of the things discussed at that time was you could force the FBI to ensure your information is c

Zombie or not, one specimen WILL be found.

[arth1]

Another worry is if someone finds it, how good precautions are there that it's immune to subversion, in multiple ways:

• Sending false data to the feds. With my knowledge of the bureau, I doubt they would ever question the data they receive. (The healthy paranoid people who might ask questions either get fired, or end up in different government branches).
  
• Using the app or information in it to launch an attack to the fed's own clandestine systems. This could include modifying the data sent to try to trigger a buffer over/underflow, or simply brute force DoS the target destination through a botnet.
  
• If it contains backdoor functionality, replace it with a honeypot and gain access to passwords and client info of the feds trying to access it.
  
• Modifying the app too send data not to the feds but to somewhere else. This would be the holy grail of trojans, as it's likely that most AV software have specific exceptions for ignoring software from the government.
  

Re:

[Reziac]

Good questions all. I've no doubt there are hackers out there who are good enough to disassemble and subvert such an app.

I'm reminded of this old jape:

"If the enemy is in range... SO ARE YOU!"

Re:

[ScrewMaster]

I'm sure they've accounted for the possibilities you've raised (excellent points, by the way.) And, if you were to actually ask the FBI about those issues, I'm sure the conversation would go something like this:

Brody: The CIPAV is a source of unspeakable power and it has to be researched!

Eaton: And it will be, I assure you Dr. Brody, Dr. Jones. We have top men working on it right now.

Jones: Who?

Eaton: Top men.

Re:

[Gazzonyx]

Thanks, I didn't want to sleep tonight, anyways.

Let's up the ante and get this thing going - I'll throw in $10 to the first slashdotter who contains and publishes the 'bins' and/or reverse engineers this piece of code. $20 if you can isolate the signature of executables that it's binded to with a high degree of success (say, =>75% confidence). It's $10 well spent to sleep at night, IMO. I kinda' want to play with this thing and I'm willing to fund the hunt for it. Anyone else wanna' throw in?

How to identify?

[redshirt1111]

I did read the article, but did not see anything about identification. Other than ensuring there is no spyware running on your machine, anyone have an idea how to detect this particular program?

Re:

[Opportunist]

Well, there are some ways. Some of them used by trojans, some used by AV kits, some by both.

You can go ahead and force every program you run to load a DLL of yours, which hooks the relevant calls and alerts you should an application that's not supposed to tries to access things it has no business in. At least that's how I did it.

It does slow the system down considerably, though, so you might want to use it on a separate machine (real or VM) that you use to do your internet stuff.

address is 192.168.0.100

[maxwells_deamon]

Just look for the guy with that address!

It most do a trace route/phone home or somthing to actually get a useful address

Yes... millions of taxpayer dollars have been...

[DaedalusLogic]

Spent on a sophisticated solution for detecting your IP address, and the FBI has integrated THIS [ipchicken.com] into CIPAV.

Re:address is 192.168.0.100

[ArcherB]

Just look for the guy with that address!

It most do a trace route/phone home or somthing to actually get a useful address

As opposed to the guy at 127.0.0.1! I hacked into his machine once, but that bastard had some sort of active defense daemon running that wiped my drive at the same time I was trying to wipe his!

Fortunately, I was able to see the porno pics of his wife before I was hit. Man! That bitch was FUGLY!

Re:

[account_deleted]

Comment removed based on user account deletion

The real threat of "government spyware"

[Opportunist]

The core problem is, surprisingly, its correlation with antivirus tools.

Either the feds don't give AV vendors a heads-up when they plan to use a trojan, i.e. they risk being found. Now, this would double as the "hey stoopid, the feds are onto you" warning.

So it's likely they do require AV vendors to avoid finding them. This, in turn, would mean, though, that all a potential virus writer has to do is to get his program to match the fed trojan in behaviour and shape, possibly in signature.

I needn't write more, I guess? Why bother coming up with a rootkit if there are governmental-assisted ways to create undetectable malware?

Re:

[robogun]

The AV could just take the middle ground with a generic description like "Suspicious Program: E-card Viewer", it is unlikely it will display as "W.32CIPAV j00 R SO FEDERALLY PWNED"

Re:

[Opportunist]

How long do you think 'til you can get a "Warning: Trojan.Crypt.Whatever is a CIA/FBI trojan!" from various mailing lists and boards?

Re:The real threat of "government spyware"

[mr_mischief]

By the time you've detected it, it's probably already reported everything. IP, MAC, IP address and HTTP request of last packet to ports 80 (or possibly 443 if it gets its information before the SSL encryption), etc. is not difficult nor time consuming to figure out.

Re:

[Opportunist]

Still, usually plenty of time to get rid of everything on the computer that might incriminate you.

Re:

[meatspray]

unless it utilized another already authorized application to connect (IE, Trillian, AV Asoftware Update, Windows Update)

Re:

[orclevegam]

it is unlikely it will display as "W.32CIPAV j00 R SO FEDERALLY PWNED"

No, but that would be awsome. Maybe some of the open source antivirus kits out there (I know there's at least one) should use that as the name if they ever manage to get a signature of CIPAV.

Re:

[griffjon]

What about heuristics engines? Will they get a huge "unless" clause tagged on to them?

What about people with strong firewalls which monitor outbound traffic?

I have a hard time believing the USGov is competent enough to do this well.

Re:

[Opportunist]

As soon as they catch anything but teenagers with it, I will start thinking about it. Until then, I say they have no better tools available than the average trojan writer. Probably they are less free in their choice of tools, rather.

Re:

[Geoffreyerffoeg]

This, in turn, would mean, though, that all a potential virus writer has to do is to get his program to match the fed trojan in behaviour and shape, possibly in signature.

Er, what if AV programs are configured to ignore programs that connect to (and only connect to) cipav.fbi.gov or somesuch? :-)

Re:

[Opportunist]

AV programs are amongst the most reversed programs in existance. Malware writers spend hours, days and weeks dissecting AV tools and finding weaknesses in them.

I think it's fairly secure to assume that one of them would have used a security hole like this in the meantime, e.g. by rewriting the hosts-file, then sending to the (rerouted) cipav.fbi.gov and the AV tool would let it be.

And this, in turn, would have been detected immediately by an AV company (who is competing with the AV company that lets this le

Re:

[Opportunist]

Dunno if that plays a role for Vista, but XP doesn't care too much about what's signed how, anything may be and actually is checked by pretty much every AV kit I know.

Besides, that only serves as a better way to detect it. I give it 2 days 'til the first detector circulates that looks for exactly THIS crypto key signature.

Re:

[Jah-Wren Ryel]

Baloney. You are referring to the NSAKEY [wikipedia.org] and it is not about executable signing, because until Vista+TPM there was no mechanism for executable signing and authentication in MS Windows.

Re:

[plague3106]

Um, you've been able to sign executable in windows since at least Windows 2000. Its call Authenticode, and XP does read it. Vista takes it a step further by warning you if you run an unsigned application.

Re:

[GeekZilla]

"that's why many european states does not trust windows to run their battleships or other critical military systems. I was assigned to disassembling the windows core logic when I did my mil svc."

Afraid that Great Britain is more than happy to employ Microsoft software in their warships.

See this: http://www.theregister.co.uk/2007/02/26/windows_bo xes_at_sea/ [theregister.co.uk]

and this:

http://en.wikipedia.org/wiki/Type_45_destroyer [wikipedia.org]

Re:The real threat of "government spyware"

[querist]

Discretion is the better part of valor.

One of the differences between the virus that your bog-standard AV will detect and this critter from the FBI is the number of instances out there in the wild. Keep in mind that this FBI thing is intentionally sent to specific targets, and I suspect that it is used sparingly in order to prevent it from being found easily.

Nearly all AV programs rely on signatures. The way they obtain the signatures is first to obtain samples, and then determine how they can identify the program accurately (Hashes, etc). I've discovered new malware and forwarded it to the proper channels, as have others that I know.

Therefore, the following (simplified) steps must occur:

1. become infected with the malware
2. suspect that the machine is infected
3. correctly isolate the malware (find its parts, etc)

Then, once those happen one must also do the following in order to hope that protection will be offered to others:

4. send the sample to one or more anti-malware application support teams for inclusion
5. wait until the AV/AM team can create a signature
6. wait until the AV/AM team distribute the signature
7. wait until people update their AV/AM signature databases.

As you can see, there are several places where this process can fail. Think of it like phishing, but sort of in reverse. Phishers send out a large number of messages in hope that even if only a very small percentage of recipients (1/100th of one percent, for example) fall for it, they will be able to profit.

That works just fine if you send out a few hundred thousand messages.

If you send out only one message, or ten, or twenty, your odds are very close to zero that even one person will "bite".

This is the critical difference. I doubt that this program is out there on thousands of machines, or hundreds of thousands of machines all over the place. It is "placed" (I know - some victim effort is required) on specific machines.

Therefore you have a very small victim base. The odds of this being discovered are quite small, even without collusion from the AV vendors.

This is more like "spearphishing" (who dreams up these phrases?), being specially targeted for one individual. This increases the odds of that one individual falling for the ruse, and since only one person was the target, this works well.

Things like this make the lives of us who work in security full time much more complicated.

-Q

Re:

[Opportunist]

Pretty accurate. Though AV companies have quite a few venues to draw from when it comes to getting malware. And they also have fairly reliable test mechanisms in place that can discriminate between programs that are behaving like malware and such that are not. Unfortunately, those tests tend to be quite heavy on the machines (you should see some of the farms dedicating to testing programs, quite amazing), so it's impossible to build something like that into the AV scanners.

The chance that such a program end

Re:

[Magada]

In addition to which, most computers infected with this thing probably end up in the hands of the FBI anyway. I tend to agree with your conclusion.

Nice acronym but...

[Statecraftsman]

can't we just continue calling this Vista?

Do they still get spam?

[192939495969798999]

If they have this amazing tool for tracking people down, do they still get spam at HQ? If so, why not use this to catch the spammers and make them stop? Is it because they're all beyond jurisdiction now?

Re:Do they still get spam?

[It doesn't come easy]

In the grand scheme of things, spam doesn't rate very high when compared to a bomb threat. Resource limitations dictate that the FBI concentrate on music downloading, bomb threats, and spam, in that order ;)...

Re:

[ScrewMaster]

On the other hand, if we're talking about big corporate influence on law enforcement priorities, the bandwidth cost of spam is pretty damn high. You would think this would encourage the big boys (the telcos and Comcasts of the country) to spread some money around Washington to motivate the Feds appropriately. They've got more money than God, and AT&T knows its way around Washington like nobody else. That would be one of the few cases where I'd be on the lobbyists' side.

So, if you're a criminal....

[iknownuttin]

MySpace accounts can't receive traditional e-mail, so one hacker standard -- attach the CIPAV to a message and hope the recipient is stupid enough to launch it -- wasn't available. Instead, the most likely tactic would have been to send a URL to the suspect account using MySpace's own instant messaging and/or Web mail system. If the suspect clicked on the link -- it would have had to be enticing, so use your imagination here -- and visited the FBI-owned malicious site, an exploit for a zero-day vulnerabilit

Re:

[Opportunist]

Well, then I guess they wouldn't really need to install a trojan in your box anymore, would they? They already proved that you tried to access material that's not suitable for you.

Re:

[Applekid]

The idea wouldn't be to stop just the perp but to enbolden them. See who they refer, follow the path of files downloaded as they are redistributed by interested parties. Corrolate time spent hunting for that stuff with time they are on their home computer with the lights off and the curtains closed. Package together a completely undeniable case against them. And if they don't distribute or become brave enough to upload their stash (for the sake of image-hash generating algorithms to quickly let software fin

Re:

[vertinox]

Thats why I have always disagreed with the current policy, not because I support the vile people that create such images, but I fear that it would be too easy to frame some one who is innocent.

There is this Japanese urban legend that when a corporation or Yakuza wants to off someone, they have the sucker win a trip to Indonesia. Then at the airport they slip some drugs in his bag and then give an anonymous tip to the Indonesian authorities.

The thing is... The penalty for drug possession in Indonesia is deat

Re:

[Torvaun]

So they send you a link claiming to be a kiddie porn site. When you go there, you find a "Nothing to see here" lookalike with a payload.

If they can get you to go to the site, what it looks like doesn't matter anymore.

But how do they install it?!?!

[Daneboy]

How, exactly, do the Men In Black install this uber-spyware on a target system?

Do they get a warrant, sneak into your home in the dead of night, and install software on your computer?

Do they mail it to you as a virus, perhaps cleverly disguised as a Nigerian spam scam?

Do they use the back door that Microsoft agreed to put in all their software in return for being granted Most-Favored Monopoly status by the government?

Or something else? "You are a suspected pedophile. To clear your name, please click here to install the FBI's internet spyware on your computer"?

Anyone know?

Re:But how do they install it?!?!

[Opportunist]

Maybe it's just a variant of the way MPack infects. Slipping code into inconspicuous pages, redirecting you to an iframe containing an exploit, suitable for your browser, and presto.

Re:

[Anonymous Coward]

Do they get a warrant, sneak into your home in the dead of night, and install software on your computer?

Yes.

Maybe...

[DaedalusLogic]

"Always trust sofware from FBI.gov" is turned on by default in some browsers?

Re:

[mogasm]

They have gotten court orders in the past to break into the house for the purpose of installing the spyware

Re:

[BlueParrot]

Do they get a warrant, sneak into your home in the dead of night, and install software on your computer?

You still think they would need a warrant to do so? It is more like:
try{
getTarget().addUncostitutionalSpyware();
}
catch (SomebodyFoundOutException e){
getTarget().accuse( new Excuse( Excuse.paedophile , Excuse.terrorist ));
}
finally{
profit();
}

Better question

[grasshoppa]

What happens to the first person to get a hold of this software and fully analyze it?

5 bucks says they get a visit from big men in serious black suits and then are never seen again.

Re:Better question

[Mattintosh]

That depends on whether they're in the USA or not. If you're in the USA, enjoy your stay at the Gitmo Hilton. If you're not, well, you might not be bothered at all, but don't fly to the USA. Ever.

Re:

[gstoddart]

That depends on whether they're in the USA or not. If you're in the USA, enjoy your stay at the Gitmo Hilton. If you're not, well, you might not be bothered at all, but don't fly to the USA.

Yeah, because the US government has never grabbed someone who is on foreign soil and whisked them away in an airplane late at night when nobody was looking. (No, really [usatoday.com].)

If they want you bad enough, they will send someone to retrieve you. Domestic and international laws be damned. Now, they won't do it for sending spa

typical hysterical twit

[circletimessquare]

"If you're in the USA, enjoy your stay at the Gitmo Hilton. If you're not, well, you might not be bothered at all"

what is this, humor? does anyone actually believe this represents a fair depiction of how dissent, spying, and enemies of the state are handled by the usa, and *laugh* other governments in the world?

the usa has plenty of problems, don't get me wrong. but if you analyze any other country and the way they handle spying and rights, guess what? the usa doesn't look so bad

does this excuse the usa? no

Re:

[janrinok]

I think that he still made a valid point. Whether other countries are any better is debatable, but the USA has crossed several boundaries by holding people in Gitmo without due legal process of any kind. There is no justification for it at all. I do not think that the FBI are quite there yet but, from the outside, there doesn't seem to be much that will stop them if that is what they want to do. But the FBI are breaking the law - it is illegal to put software on someone else's computer without their per

i understand

[circletimessquare]

there is a road to fascism and ignoring human rights. and although some countries are a mile down that road, we're going to scream bloody murder only because the usa has moved a yard down that road

http://www.nytimes.com/2007/08/02/world/middleeast /02iran.html [nytimes.com]

how do you feel about this story this morning?

i mean, do you care about the universal human issue of basic human rights? or does the concept only enter your mind when the usa is involved somehow?

do you have a human conscience? or an american conscience

you sound upset about that

[circletimessquare]

how upset are you about this? [nytimes.com]

do you have a human conscience on the issues of basic human rights?

or do you just have an american conscience?

the world doesn't revolve around the usa. why do you?

so let me get this straight

[circletimessquare]

there is a road to fascism and ignoring human rights. we both understand that. you allude to a slippery slope

so when the usa moves a yard down that road, you are going to get your panties in a twist and scream bloody murder

but when other countries are a MILE down that road, we're not going to say one peep

that's my problem with you

http://www.nytimes.com/2007/08/02/world/middleeast /02iran.html [nytimes.com]

just picked that story from this morning, out of many i could have picked over many days and many countries

how do you

let's see if you can

[circletimessquare]

wrap your mind around this concept:

the only morally and intellectually defensible position on human rights is a global one

because we're talking about human rights. not american rights. not iranian rights

so when you criticize one country more than another, and the former does far less abuses than the latter, you don't have a human conscience. your level of criticism must match the level of abuse

otherwise, you have an american conscience: an obsession with america... which is fine, actually. just admit that y

got it

[circletimessquare]

look, that guy is littering

better scream high holy indignation

look, that other guy is stabbing someone

but i can't criticize him, because that guy is a little further away from me

i have a human conscience

Re:

[Opportunist]

I'd hold that bet, but it's illegal here to engage in bets when you already know the outcome...

Is this really a reliable tool for the FBI?

[Vokkyt]

There are many programs out there, such as LittleSnitch for Mac, which are rather adamant about making sure you know everything that is phoning home on your computer. Does the CIPAV have a method of circumventing these road blocks or would the FBI be stumped by the same software that is intended to keep computers safe from malicious software? While I could certainly understand them working with larger developers like Symantec and Microsoft to ensure that their anti-spyware and virus protection software dutifully ignores a product like CIPAV, what about machines running protection applications from smaller developers, or even open source protection, like the ClamAV project?

Better yet, if programs like CIPAV become more common as a tool for Federal Investigations, does it become a requirement that said programs allow CIPAV and its successors to do their work?

Re:willfull ignorance by anti-malware vendors

[morethanapapercert]

What you said made me think of a (somewhat) related topic. Several people have posted about the possibility of the big AV vendors and such excluding "official" malware from detection signature libraries. Several mechanisms have been suggested, ranging from voluntary participation to being required by secret Homeland Security legislation. I see several potential problems with the idea of the AV crowd secretly ignoring *any* official malware for *any* reason.
1) Even under the threat of Star Chamber "justice",

Re:

[Vokkyt]

Yeah, but now we're installing two things via Malware; a browser extension and the CIPAV program. That's two things to sneak in, hide, and have run undetected by the computer, and also an assumption that the CIPAV is compatible with the browser used. On top of that, there is still an IP trail in router logs if data is being sent to an unknown location that you never accessed. After that, it's pretty easy to close up access, should the paranoid and disillusioned be watching their router logs carefully.

Also

Re:

[Vokkyt]

Also (sorry to double post, but this just came to mind), what happens if it is blockable. Does using the software to prevent CIPAV from calling home constitute a felony for disrupting a Federal investigation? Or, what happens in the case of a rebuild? Is that also considered to be messing with a Federal Investigation if the target is unaware that they are being monitored?

What happens to the data collected?

[WillAffleckUW]

It's sold to commercial firms so they can advertise to you.

Duh.

I wouldn't mind running this

[Larry Lightbulb]

Well, if they took out the phone home aspect - other than that it seems to be a fairly useful monitoring tool.

What if Crackers modify it for themselves?

[denis-The-menace]

If AV companies do let the FBI version go through unchecked,
what if the virus and worm writers of today get a hold of this and modify it for their own purposes?

A lot of effort for 90 days detention.

[AltGrendel]

...Monday, June 18. On July 15, after he pleaded guilty in juvenile court to charges of identity theft and making bomb threats, the teen was sentenced to 90 days' detention.

They spent a log of money on that. Sounds to me like it was actually a "test run" to make sure things work as expected. And now that they know it will work...

Re:

[DamnStupidElf]

They spent a log of money on that. Sounds to me like it was actually a "test run" to make sure things work as expected. And now that they know it will work...

Actually, it works much better than locking someone up for life. 90 days detention is *far* cheaper than 1 year, or 20. The cost of an investigation and court case is probably dwarfed by incarceration costs after just 5 or 10 years.

You've heard that adage that crime doesn't pay, right? Well, neither does justice. It's horribly expensive. In econom

Comment removed

[account_deleted]

Comment removed based on user account deletion

Is it copy-protected?

[Sloppy]

Wow, people are worried about it spreading itself to other computers, deliberately or accidentally. It seems like the FBI has a bigger problem here: they're giving a spying tool to exactly the kind of people who, in the FBI's opinion, are less trustworthy than the average citizen. They give it to them, in the hopes that the suspected criminal will install it on their own machine instead of someone else's.

Think about this series of events: FBI looks into a kiddie porn / pedophile ring, and tries to trick t

Moral to this story?

[JimDaGeek]

Don't use a MS Windows based OS if you want to do stupid stuff. Odds are that these type of government programs are only targeting the large user base of MS Windows. Use Linux, *BSD or Mac OS X and flip the government the birdie! ;-)

Re:

[JimDaGeek]

Sorry to reply to myself. I forgot the last line:

Use Linux, *BSD or Mac OS X and flip the government the birdie! Or don't do stupid stuff

Oh, I just had another idea. Does anyone know of a list of most of these government sites? Why not just block them at the firewall level? Or for n00bs use something like PeerGuardian.

Re:

[JimDaGeek]

Linux is open source, how exactly would they have an "unpublished" exploit? There are a lot more people looking for bugs for Linux than the FBI have searching Linux for some exploit they could take advantage of. Oh, and the FBI would only be able to use a exploit they found first for a few times before it is patched and all through the Linux Community.

As for MS Windows, if there is an unknown exploit, maybe MS would leave it there with a little nudge and wink from the FBI?

As for OS X, the core is op

Some More Speculation on Installation Methods

[Dreamland]

Some more speculation on installation methods of CIPAV can be found here:

http://blog.misec.net/2007/07/31/3/ [misec.net]

Specifically, it looks like the FBI may have several ready-made exploits, each targeting a different OS/web browser combination. An interesting question, then, is what they would do if they encountered a system that is fully patched and running a more secure browser such as Firefox. Does the FBI have access to their own zero-day exploits that they can whip out to install this trojan? If so, is it possible they have their own team of hackers set out to find such exploits?

Re:

[LurkerXXX]

If so, is it possible they have their own team of hackers set out to find such exploits?

In a word? Duh.

They probably don't have their own but call on another 3 letter agency for them. The NSA are the monster intel agency, and they provide many tools and services for the other 3 letter folks. They've made trojan'd printers etc before for invasions of other countries networks. Finding holes in, or clandestinely adding them to software/OSs is probably the full time work of a good sized team.

Re:

[Jherek Carnelian]

They've made trojan'd printers etc before for invasions of other countries networks.

No they haven't. It's a hoax. [theregister.co.uk]

Not My Question

[Nom du Keyboard]

What happens to the data the CIPAV collects? Does the CIPAV capture keystrokes? Can the CIPAV spread on its own to other computers, either purposefully or by accident? Does it erase itself after its job is done?

How about: Which anti-virus/anti-spyware programs detect and remove it?

And which firewalls successfully block it? (Be funny of PeerGuardian takes it out.)

I can answer that ...

[ScrewMaster]

CIPAV stands for 'Computer and Internet Protocol Address Verifier'

No, it stands for "Covert Information Poaching Automated Virus"

If you find an infected web site ...

[PPH]

.. don't report it or clean it off. Instead:

1) Get a couple of 'virgin' PCs. Get them infected.
2) Make up some plausible identities as various members of the Defense Department.
3) E-Mail back and forth about your plans for the pending military coup. Specifically, how you are going to have to neutralize the FBI.
4) Sit back and watch the fireworks.

Re:

[davidsyes]

Well, in the vein of "speculation"...

Then, is this how they brought down mob bosses a few years ago? What is so special about this today than a few years ago?

Or did they simply use RF/EM surveillance against the keystrokes of that enforcer/boss?

I've been wondering if a port sniffer/protocol analyzer/keystroke counter were sneaked in via a maintenance person, or flown in by one of those DARPA critters...

OTOH, depending on the building layout, maybe an "occupant" flushed a stringed bug that deployed lodging a

Re:

[russotto]

Then, is this how they brought down mob bosses a few years ago? What is so special about this today than a few years ago?

IIRC, the keyloggers involved there were _hardware_, installed surreptitiously by the FBI.

Re:

[davidsyes]

SMART criminals (and governments, companies and certain individuals are going to -- for some applications-- start quantum or thermally signature scanning ALL that they bring on premises and real-time comparing known vs suspicious.

Also, keyboards are cheap, (exposed) wiring is cheap, and many peripherals are, too. Either toss them or get them "debugged".

Then, turn the premises into a Faraday cage or whatever it takes to keep unwanted, contemptable fracks out ("unwanted, contemptable" being defined by those w

Re:

[Xtravar]

I think it's safe to say that the Apple demographics don't include people the government wants to go after, aside from maybe fancy pants drug traffickers who the government skims profits from anyway.

The poor have always been the targets of the government, for whatever socio-political reasons there may be. Everyone knows that rich people rarely get convicted of crimes, as they are least suspect and can afford good lawyers. Poor people are more likely to use PCs, which means "criminals" are more likely to u

Re:

[Torvaun]

It's because rich criminals get their criminal activities legalized.