Slashdot Mirror
Enhanced Carnivore To Crack Encryption Via Virus
suqur writes: "MSNBC has a story about a new Carnivore feature, dubbed 'Magic Lantern,' which arrives on a victim's computer in the form of a virus through email or well-known vulnerabilities. Magic Lantern uses keylogging to extract keys typed in, and sends them off to the FBI. This is similar to a story reported on previously, but taken one step further, allowing computers to be compromised remotely."
how do you find this bugger?
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
I have had enough.
do I go on a congressional shooting spree, or should I just give up and smile politly?
Does this mean it will now be illegal to use a secure system? Having any type of security/virus protection will be circumvention of law-enforcing software.
And what happens if this "happens" to get installed on a foreign government's computer? Can we say "espionage"?
I can't say that I don't give a fuck. I've just run out of fuck to give.
Bob Sullivan, I am offended. "The software, known as "Magic Lantern," enables agents to read data that had been scrambled, a tactic often employed by criminals to hide information and evade law enforcement." Nobody I know uses encryption to hide illegal actions. Even the people I've caught doing illegal things don't do this.
I would love to meet the guy who thought this up.
Doesn't this violate the DMCA?
Fuck Ajit Pai
Virus? Why do I have a feeling this is another one of those many things users of pine and mutt don't need to be worried about...
-Khyron
That's fantastic!
I'm very impressed.
My opinion is that if people are going to spend that much effort to compromise my privacy, they deserve to do it. If I don't put as much effort into protecting it, I don't deserve to have it.
There should be a moratorium on the use of the apostrophe.
Max V.
NeXTMail/MIME Mail welcome
What are the odds that antivirus software could be updated to find this virus? It obviously couldn't be cross-platform either. And if the gov't somehow manages to pressure a/v companies into not including it in virus defs, what would happen if some malicious kiddie got hold of the code, and unleashed a much more destructive version, knowing full well that most machines were not protected? Who would be liable in that case?
Where's my lobbyist? Right here.
long live da emu
Is it just me, or would any one else start to wonder about the aplication trying to get out through ZoneAlarm? any simple firewall would catch that trying to send data to the FBI and alert the person to the spying. Just watch how fast the system gets scrubbed when the 'crook' sees something like that. once again they forget that the people who are a real danger will have no truble getting around thier snooping, and worce, this one will alert them to the fact that they are being checked out.
Question reality.
In other news today, the FBI was arrested en masse for violating numerous newly legislated anti-terrorist laws prohibiting compromising remote computers...
How long until Norton Antivirus detects W32.FBI-MagicLantern?
well known vulnerabilities? in other words, if your doing something illegal - go buy a copy of virus scan, or just wipe your drive and install linux
The article says that the "virus" sends the information back to the feds. Won't my firewall intercept that even if my virus scan doesnt pick up this thing?
So when you outlaw encryption and security reports, then only outlaws will use Windows? I dont think that a key logger would work to well on my linux box. I think that the intrusion detection system would catch it first and I doubt that pine or mutt would be able to execute the virus. I could install WINE... but wait, I dont run it as root. Shit. Linux users are always behind the curve.
of the case against Microsoft by disgruntled federal employees.
Mail-virus attachments are best contracted via Outlook or web mail clients; anybody with advanced security will not have a problem here.
Unless the government starts persecuting people on Linux and *BSD systems, because they are inimical to the FBI's spying methods.
Foucault's Panopticon, here we come..
Goat sex free since 2001
Great, so now the FBI will be able to surveil terrorists who use Microsoft Outlook, all zero of them. (Are there any other widely used email clients that automatically open attachments, or make it obscenely easy to?)
What worries me is who else has got this sort of technology. There are certainly plenty of little guys out there with the talent to create tools like this, but what about the big (state-sponsored? organized crime?) guys? The ones who most certainly AREN'T looking out for our 'best interests', and aren't out for the thrill of the hunt. Those with the discipline and knowledge to move silently and cautiously, to compromise systems where it counts? These are the people we really need to worry about. Think they're not out there? I find that hard to believe. And if they're not, they will be. THIS is the real threat.
Where to we begin to combat this? We can hardly keep up with the damn script kiddies!
Please make the fix available as soon as possible, or there will be consequence - know what I mean?
Joe Soprano
a) The FBI kicks in your door and installs Outlook
b) You always open email with the subject "Snow White and the 7 FBI Agents"
c) You run the attachment called "FBILOVESYOU.VBS" (and you run Windows, Outlook, etc)
Blah, dumb communist FBI
Abuse my rationalization of rhetoric as either metaphor or monotomy.
If it spreads in virus form, wouldn't that constitute an illegal search or wiretap? If it lands in a foreign government machine, wouldn't that constitute espionage?
I see the FBI can distribute a virus but when some script kid writes a virus for one of microsofts crappy products they toss them in jail for a few years.
Just great...
More work for those of us who work in security departments and/or abuse departments. I think this will only work with stupid criminals. All one has to do to avoid this is keep up on security patches and not open email attachments. But, seeing how well SirCam and CodeRed spread, I guess the FBI will catch lots of people this way.
No replies made to AC posts. Please log in.
Does this mean that those not running windows will now be "suspicious persons" ?
Cheers,
-- RLJ
So now and then I see a conspiracy theorist say that the government is suspicious of nonconformist OS users...
So what happens when it becomes virtually impossible to use M$ OSs for terrorism?
Right, it makes us alternate OS users look suspicious.
Mind you, I'm generally not that paranoid, but if you ever read the Washington Post check out today's (11/20) article about Bush's consolidation of executive power and think about his family *cough*dad's CIA*cough* and friends, and tell me it isn't a little worrisome.
-- Still waiting for the Nike endorsement
It watches for a suspect to start a popular encryption program called Pretty Good Privacy. It then logs the passphrase used to start the program, essentially given agents access to keys needed to decrypt files.
If this is true, then it would seem all you need to do to foil this latest slightly-hare-brained-scheme would be to rename pgp to something else, such as goawayfbi.
That's just plain wrong. Privacy, like freedom, and other rights I would like to take for granted in an ideal world, may come at a cost, but it certainly shouldn't be the government's role to be attacking them in any way.
Sergio
imagine if, as part of terms to settle the ms anti-trust case, ms was "encouraged" by the gov't to make 'magic lantern' "part" of windows...
So this new Carnivore feature will only be able to spy on those people who can't put protection on their computers and can't keep their computers up-to-date.
In light of the Sept 11th terrorists' acts, I think that we can assume that the main people that Carnivore wants to target will not be suseptible to this magic lantern.
Sounds like a waste of time to me.
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
Thanks to the FBI, a whole new market is now being pushed into exploring the world of alternative operating systems.
Talk about a boon to the Open Source movement! Show the people (not just the bad guys) that Microsoft's numerous vulnerabilities can be used by Big Brother to monitor them. I can't think of a better way to boost Linux distro sales.
I quite agree. If it was security researchers who did this, then we would all be highly impressed.
If a third party can get access to my machine, then my machine is clearly faulty.
Be nice if they were a bit more open about what they are doing, but on the whole, this sort of thing can only improve security in the long term.
Granted, a simple reformat would fix a lot of things on the system, like getting rid of said key-logging program.
You know who I think is crazy? All my ex-girlfriends!
this is a little beyond a wire tap, which can now be done without a warrant, its more of putting a microphone in the room, so it should reqiure a warrant, not that i expect them to get one
and besides *nix, is safe it looks like an outlook virus
The first thing that comes to mind is a flagrant violation of the DCMA.
:P. That was easy to get around.
How does the government expect to work around this one? There are so many things that can go wrong...
1. Probably OS-dependent. Remember: virii for one platform (i.e., Win) will probably not work for others. That was not hard to get around
2. Human link involved. This virus will presumably be propagated via email, or some other form of trojan. Those who tend to use encryption tend to block this type of thing from happening to their machine anyway. Yet another reason not to open email/attachments from an addresser named "CIA"
3. Network link involved. Those who use encryption are usually savvy enough to detect extra packets flying from their machine to some unknown address, which would easily be identified in a reverse-lookup.
My goodness, they are getting desperate, aren't they.
Since when did sending "viruses" become legal? Did I miss that memo?
We can't do it, we can be jailed by showing a proof of concept, we're called terrorists if we give out proof of concept code, but the same people jailing us and calling us terrorists are doing it on purpose....
That makes me think of alcoholic parents telling their kids not to drink while they are wasted 24hrs a day. Well even that's more logical, at least the kid CAN STILL make a choice, either be like his parent or be the total opposite..... whereas here...
--- Metamoderating abusive downgraders since my 300th post.
So, would running Linux avoid this problem?
Since it's vulnerablities in windows that seem to allow the FBI to get in, would linux be ok?
In addition, is this legal? To break in using vulnerablities? Wouldn't that make the FBI in essence doing illegal things?
This only works then because windows has security holes eh?
I'm becoming increasingly numb over these issues. My naive question is, is this legal? Is there any way to prevent government intrusion? Why does the government despise its own citizenry so much?
Why wouldn't Osama bin Laden or other said terrorists *disconnect* his computer?
*gasp!* The internet isn't some kind of otherworldly computing neccessity. Your computer runs perfectly fine if you unplug it from the wall. This seems to be like something George Bush would try to do (make a network secure but hire people that run it).
In any case, sure, unplugging your computer would limit its use as a communicative device, but lookie here. What if the computer was routed through a server that only accepted packets of a certain size with a certain encryption standard. In other words, Mr. Evil-Doer's packets go through, the FBIs dont.
This seems like an incredible waste of time. I've got a better idea to shut down telecommunications in Afghanistan et al:
Hit the data transfer at the heart. Screw with the routers and the servers. Sniff there. Individual computers are a ridiculous place to look.
From: Bill@Slashdot.org
To: Fred@Slashdot.org
Subject: Magic Lantern.doc.pif
Hi! How are you?
I send you this file in order to have your advice.
See you later. Thanks
-- Dan
What if the offenders use a good old fashioned code- the kind where the sender and receiver are intimately involved in coding/decoding. They do this anyway. This sofware can't do a thing about that. The FBI is stupid if they think these terrorists won't just make up their own non-computer code and use that. Or, what if they just use another computer (not on the net) to generate the encoded messages and move it from one to the other?
Tim ODonnell (trying to be the most
It will also try to gain entry via exploits. So, if your Linux box is not updated with securty patches, it will get you that way. You could prevent that by keeping up on patches, or using a non-commonplace (READ: not MS or linux based) OS.
No replies made to AC posts. Please log in.
A CERT advisory about 1337 h4x0rz in the FBI who are attacking the net with email worms...
;)
I wonder if mcafee etc will be updated to catch these viruses
If the FBI virus gets out of hand and e.g. destroys corporate, governmental, or military data, could the FBI be held criminally liable?
Which individuals are writing this software anyway? That's what I'd really like to know.
Software doesn't write itself, individual programmers do. So who are these individuals?
My guess is they're hiding under a rock somewhere, too cowardly and ashamed to show their faces in public.
Finally, it has yet to happen yesterday.
Can't wait.
Being a bit pedantic here, but do they mean a trojan or a virus? I would be very worried if it were a virus as viruses propogate - in criminals it could spread from one criminal to another, so no problem there. But if it passed to an innocent user, who then passed it onto friends, I'm sure there would be a civil liberties outcry.
I'm sure trojans must have been used for keylogging before. But won't using this mean getting a wiretap order? I also don't know how this system will cross jurisdictions: can the FBI infect a user in another country to get secrets? Sounds like spying to me, and it would ensure countermeasures from other governments and a change in computing systems to defeat the virus.
I'm hoping that some antivirus company makes a scanning system to detect this 'virus' and eliminate it. Otherwise its a change to a more secure OS, or using GNUpg (they did only mention it working on PGP, didn't they?) could do the trick.
You guys coming?
:-)
But if the software is a virus (or trojan, or some other malware), wouldn't that make it a tool of terrorism?
Does that mean we can have a military tribunal for the MIB?
This is sickening.
Please, please, PLEASE, somebody tell me that someone will write a program to watch for this "Magic Lantern" and disable it, or at least warn the user that it's installed.
Hmm...
Oh, and by the by... To anyone who wants to make that "if you're not doing anything wrong..." argument, please send me pictures of your wife naked. Just put my address on the back of a 3x5 print, along with your credit and checking account numbers.
Oh, that's private?
Then f**k off and don't let me hear you say it again until you're willing to put your money where your mouth is.
Quite rightly, I don't think that it's anyone's business to see the data on my computer, unless they have a real warrant and show up at my house with it. On the same token, I think that keyloggers should fall under wiretapping regulations. (Does anyone know if they do or not? Last I heard the FBI was trying to say that it didn't.)
It's going to take a LONG time to fix the damage our government is doing. If we're lucky, some of us will live to see something akin to real freedom again. If we're not, well, we'll just have to make sure that the stories get passed down to our children.
Maybe soneday I'll take the time to cohesively form my thoughts on this, but at any rate, I think y'all get the idea.
Pax, Ardax
With our luck, no, it won't violate the DCMA.
But trying to circumvent (stop) it probably will.
Feh.
Without making any judgements as to the fucked-uppedness of this, there are so many logistics problems that I can't imagine this getting widespread use.
If you fall off a building, go real limp, because maybe you'll look like a dummy and people will be like hey, free dummy
I'm also wondering if you could rename/recompile PGP or other encryption software so that Magic Lantern won't trigger when it's activated. Also, entering a key without the keyboard (mouse clicks, off a .TXT file on a floppy, whatever...) would make keyboard logging useless.
Other ideas?
"Prepare for the worst - hope for the best."
Remember: You're not only voting for the president, but you're also voting for his cabinet and appointees.
"Hey boss, the feds must be getting suspicious - they're trying to send us the Magic Lantern virus again."
Peace,
-McD
"Given the pace of technology, I propose we leave math to the machines and go play outside." -- Calvin
Are there any cases involving damage done to personal property in eavesdropping operations? That is, legal taps? Any lawyers here? I gotta imagine that this would be a very very dangerous thing for the government to get into. Not only could it cause damage to personal property, but if the suspect is smart enough to encrypt their stuff, they're going to be smart enough to know when they've been h4x0red by an email virus.
This story makes a lot more sense if you remove every reference to "our sources" and replace it with "my little brother." I believe *that*.
There are no trails. There are no trees out here.
Store the encryption software on a non-networked machine (the encryption machine).
Store the encryption keys on removable media that is never left with the encryption machine when encryption/decryption is not actively being done.
Data in encrypted/decrypted form must be brought to the encryption machine via good old sneakernet (diskette).
Extra bonus points if the entire operating system and software suite on the encryption machine lives on read only media, such as a CD-Rom.
FBI Chief: What happen?
FBI Grunt: Someone set up us the disk.
The logic of your arguement is that if considerable effort is expended to break the law (i.e. invade your privacy) then it's acceptable. If I were to spend considerable effort into breaking into a bank to look at your bank account, would that be ok? How about the amount of effort I would have to spend to travel to your hometown, figure out where you are and rob you? With your logic, that would be okay since you didn't take the precautions of hiring a bodyguard to prevent such a thing.
...assuming it doesn't check the window class passed to the windows registration function (when the wndclass is created). that would always be the same regardless of the filename/execname. of course you can hexedit that too (or recompile).
https://www.accountkiller.com/removal-requested
Note to self: build auto-gpg-encryption into xP.
Liberty in your lifetime
I can file criminal charges against the FBI
for computer crime via virii?
The feds already used a third-party keylogger that could be delivered via email. It is called DIRT.
I suspect the feature that makes this new keylogger more useful is that it is incorporated in their "DragonWare" suite of software, just like carnivore's lesser known post-processing programs Packeteer and CoolMiner.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
... the biggest crooks work for the government, not against it. Similarily, as Brecht once noted, bank robbery is strictly amateur stuff. Professionals run banks.
Oh well...
What a joke!
Do they really think they can get anything useful from this virus the only people stupid enough to execute attachments are people that probably don't have anything worth protecting in the first place.
Bring on your stupid magic lantern!
This sounds a lot like FUD.
Think about it - its not technically feasible. Basic security measures and anti-virus programs will stop it dead. Key logging is aguably the same as wiretapping - in other words probably illegal without a court order.
And think about this - wouldn't it create quite an international incident of the FBI is found to be actively attacking computer systems not located in the continental US?
Well, I suppose it's too much to ask for MSNBC to get the terminology right.
Okay, I'm done beating this dead (trojan) horse.
Just have an old PC that hasn't been connected to
the net.
Encrypt the files on that machine and then sneaker net (via floppy) the encrypted files to your net connected machine.
Copy encrypted files you receive to floppy and
take them to the machine to be de-crypted.
-Neil
i call bs on this story until someone posts a link to a captured specimen. Until this thing is in the wild everything here is just conjecture. I'd also like to see this thing crack "well-known vulnerabilities" in any of my unix boxes; I don't worry about them "keyscanning my pgp keys" when I'm there.
Allthough I do think we should remain open for news like this I also think it becomes a bit boring. I mean hasn't it allready been proven that if you need (tight) security you should not use Windows ?
All we need is to see it in action, and soon thereafter Snort will be able to detect it. Once there is a Snort rule to detect it, all you need is Hogwash and it won't be able to get anywhere near you. Or, at least past your firewall. I believe IPFilter is working on a similar feature to Hogwash, which can block packets based on Snort rules.
Since this is sponsored by the government, and obviously is something that would be instantly picked up by anti-virus software, what are the possibilities of the government making deals with anti-virus companies to NOT detect Magic Lantern? After all, if one "victim" is running active virus protection, bye bye magic lantern.
What about a search warrant?
Random thought: There is probably already a back door built into windows for this purpose... the result of many meetings between the DOD, FBI, CIA, and microsoft.
Skiers and Riders -- http://www.snowjournal.com
maybe the DoJ and microsoft should come to another agreement. instead of microsoft settling for the children, they should send some of their free computer goodies, complete with security holes, to suspected terrorists and criminals. do they double click on sketchy attachments in afghanistan too?
And what happens when a non-FBI person gets ahold of this virus and uses it for, shall we say, more nefarious purposes? Can you release this thing into the wild and not expect someone to eventually find it, copy it, and modify it to be their own?
Even though this sort of curcumvention measure is illegal under the DMCA for a private citizen, the DMCA also includes language that makes law enforcement exempt from these very laws.
I currently use a program that watches for any program that tries to register itself to run automatically named Startup Monitor. It works great against adware and other programs that aren't specifically viruses, but that do cause my computer to not work properly. Anyway, it catches the most annoying autoexec programs, but not VXDs or OCXs or certain other registered DLLs.
I wonder how script-kiddyish the actual Magic Lantern is, beyond the concept.
I can't WAIT till somebody finds their computer infected, and distributes the logger for reverse-engineering!!! I wanna take a look at it!
You can run but you can't hide, except, apparently, along the Afghan-Pakistani border.
covertly inserting code to gather information (or otherwise bash their box) onto someone's computer without their consent or knowledge is protected by our Bill of Rights!
They need a warrant (last I checked) to search someone's house. They need a warrant to use wiretaps.
Why is it that they think they can insert a 'virus' to log keystrokes? if this goes into the realm of Van Eck phreaking then I could understand (since van eck just picks up the stray emissions from your box...hmm, tempest anyone?), however, I still stand by the fact that *they need a warrant*
if they want to check out my files on my computer, knock on my door, present a _proper_ warrant, and proceed. That's the lawful way. Dumping a virus on someone's box is just uncool, and in fact, should render anything gathered from said box inadmissable.
of course IANAL...which is said all too frequently around these parts, any real lawyers care to comment?
Since I don't live in america, I figure the compromising of systems in other countries could be considered an act of war. Russia said they would retaliate to computer warfare via nuclear arms, so I hope the fbi avoids infecting people in other countries with this 'virus' or they could have a whole new slew of problems on their hands
GoatPigSheep, the 3 most important food groups
What worries me is how long has this been out there?! I mean, this could have been out there for months, and if the US Government has leaned on the various Anti-Virus program makers in the US...this could have been going on for many months now.
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Would the chances of success really be worth the FBI risking tipping it's hand in an important investigation?
...
It might work for a handful careless and unsophicated Windows-using crooks, before every other crook with only half-a-brain was on to it.
In any case, I'm sure MacIntosh sales to the mafia will probably shoot though the roof on this rumor
This certainly explains why the gov't backed off of the MS case (beyond the economy-in-the-bucket angle). Combine this, the DMCA, the SSSCA, and the FBI not being held to be in line with the DMCA and SSSCA, and you have this:
Only OSes with gov't-licensed security and DRM standards installed can be sold/installed/run legally. This means Microsoft, and possibly Mac. (I'm sure *BSD and Linux will be able to get certified, after going through a many-month/year-long certification obstable course and re-programming cycle). Backdoors will be inserted (if Magic Lantern isn't installed outright as a feature...)
And naturally, reverse engineering any of this (to close the backdoor, fix/change crypto, remove the MAgic Lantern virus, etc.) is highly illegal.
Anyone remember the sample dialog from a game included in the Paranoia! RPG? Let's revise:
Hacker 1: "The MS Crypto API uses ROT13!"
Hacker 2: "No way it could be ROT13! You lie! COMMIE!" *zap zap zap* (Hacker 1 dies)
Hacker 3: "How can you know it wasn't ROT13?? You looked! COMMIEE!" *zap zap zap* (Hacker 2 dies)
Hacker 4: "How do you know what ROT13 is? COMMIE!!" *zap zap zap* (Hacker 3 dies)
Hacker 5: "How do you know that ROT13 is even cryptographic? COMMIE!!" *zap zap zap* (Hacker 4 dies)
Hacker 6: "Ubj qb lbh xabj gung vg'f abg? PBZZVR!!" *zap zap zap* (Hacker 5 dies)
Hacker 7: "You are SO dead." *zap zap zap* (Hacker 6 dies)
(and so on)
Returned Peace Corps IT Volunteer
OpenBSD, baby!
OK...that's two words, but anyone who is even slightly interested in keeping their data/network/computer secure won't use microsoft products. Everyone here knows that the FBI's virus/trojan will target microsloth's wide open systems.
No sympathy for the stupid.
Since when does a government have all rights to use trojans to sniff? Where is privacy?
... If this is even allowed .. what will be allowed in the next coming months or years? Are we going to be allowed to walk in our own houses without big-brother watching our backs? or are we going to shower with a camera pointed to our butts?
... because the citizens are all vurnerable to a government snoop whenever they wish so.
... I would feel myself insecure ... not because I would do illegal things, because I am a respectable citizen, but just because I cannot live my own life anymore as I like as human being with mutual respect!
If the feds can use this utility hackers can too, what about virus scanners? Are they illegal because they circumvent their loggers?
And what about non-US systems? I am Belgian, what if this program gets on a government PC? What about espionage? What about (foreign) companies where this program gets installed on?
To my opinion, it is illegal to make trojans and viruses and/or to distribute them, why is the government being this *EXTREMELY* bad example?
The last but important question
To my opinion privacy is dieing and that because of terrorists? then I think the terrorists have won a war
I want to feel home and secure in my own home, but if this is all allowed by the government then I would not feel so safe or secure anymore.
I would feel myself watched
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
I know the press plays fast and loose with the definitions of various anti-social computer programs, but is this really a virus? If the FBI engineers a trojan horse to compromise somebody's machine, that's one thing, but a virus implies that it would spread.
Interestingly if it was a virus, the people who'd be most vulnerable to it would be those who don't take proper security precautions with their computer in the first place. So people who really have something to hide and are trying really hard to hide it are going to be least vulnerable to this approach.
This sig has been temporarily disconnected or is no longer in service
And of course if you find that your system has been infected and you run an AV program on it, you are arrested for violating national security.
That's like saying that the police have the right to break your window and then look inside from across the street. While a dozen other people climb through it, of course.
--GrouchoMarx
Card-carrying member of the EFF, FSF, and ACLU. Are you?
If the FBI is going to use methods like this,
how long before the next Windows System Pack
saves them the work by logging PGP passwords
and sends them off by some mechanism pre-arranged
with the FBI?
Remember that a secure system is combination of cryptography, and protocols. To get around this feature one would use a protocol where you encode your message on a system that is never connected to the net and transfer the message to a transmitting system via sneaker net. To decode a message you use the same protocol in reverse. If you are really paranoid only use the floppies one way and physically destory them. The FBI system will only catch the stupid.
Can anyone tell me how having my passphrase obtained via keylogging will allow the FBI to unencrypt my private messages? Unless I'm much mistaken, you need my (well ok, the message receivers) private key in order to do that. I have never actually *typed* a private key, it is generated by gpg. If all this tool is doing is keylogging, they can't actually use the information gained to crack a key unless a) they get physical access to my machine or b) they install some other kind of virus that will start sending pgp data files as well.
I guess they could just do a secret search of my house if they obtained the passphrase, but that's about it. If they did I would have those fsckers in court quick as a limpet.
std::disclaimer<std::legalese> sig=new std::disclaimer; sig->dump(); delete sig;
Here's a thought. What if this is already included in WinXP. Maybe that's part of the 'punishment' in the justice department's deal with MicroSnot.
Would you put it past MS to work such a deal with the government in exchange for an easy anti-trust settlement? Hmmm...
This post is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.
This will never happen. Some computer-illiterit hicks from arkansas thought is up. Just about as likely as the idea that 2 senators had to implant spyware into all operating systems (sorry i forget the name). But it just wont happen. There are way too many people to prosecute for failure to comply and it will end up costing the country more than it is worth. You cant prosecute someone for running linux because there is a completely legitimate reason to run it. And how much will it cost to force microshit to put in in their OSes. They already have as much money as they will ever need, so no amount will get them to put spyware that will compromise their sales. The government still has to pass this law. There is no way some hicks that are afraid of computers will get this one passed.
Keyloggers and trojans are not impressive, Every hacker knows about this
however i suppose the average fool who happens to be usnig encryption doesnt.
If you use Linux, please help development of Autopac
The FBI doesn't need a virus to do this, all they need to do is tell Microsoft they'll drop the charges against them if they agree to secretly include code to do whatever the FBI wants. How hard would it be to add a keylogger to Windows XP's millions of lines of code? Not hard. The hardest part would be transmitting the data, but with most people being computer-security ignorant that won't be a problem.
What this really is is a way for the FBI to catch petty criminals. It will do absolutely nothing against professionals or anyone else who has a clue...
Of course, anyone who would be vulnerabe to this is either a moron or doesn't feel that they have anything to hide, so it seems kind of pointless.
Of course, the truely paranoid communicate with their computer using morse code with their space bar and scroll lock LED. I can see it now:
Head of Investigation: "What have we got from the J Random Hacker log file?"
Computer Specialist: "84,365,928 spaces, sir"
Under capitalism man exploits man. Under communism it's the other way around.
After it's renamed and loaded with the ATI drivers, PGP will encrypt things twice as fast, but side-by-side inspection will reveal it's algorithm to have switched to XOR.
write it so it disables the zone alarm notify process.
Now zona alarm simply will be "INFECTED" with the virus itself and shut down
of course theres many ways of doing it, disable it, or clone it so the user never knows its shut down, simply have a little "fake" zone alarm process, fake zone alarm in the system tray and everything the only diffrence is its not zone alarm, its the virus.
This is just too easy, this is basic hacking stuff that every programmer or hacker knows.
of course, to the average person, this is magic, this is serious hacking.
If you use Linux, please help development of Autopac
I've seen all sorts of comments about this 'Magic lantern' being a virus - but really, it's just a covert keylogger - once installed, it doesn't spread. The trick is, since Carnivore is capturing all your emails anyway, they know what 'user agent' and OS you're running, making it much trivial to select a wrapper e-mail to take advantage of a 'known vulnerability' for your system. The known vulnerability might even be using a Microsoft certificate (or the windows NSA key? :-/ ) to sign an attachement for an auto install?
Of course, a more likely use of the 'Magic Lantern' is to provide plausible deniability when they covertly break in to plant the keylogger software.
Liquor
Sanity is a highly overrated commodity.
I guess they aren't if you are the fbi...
Got Freedom?
Thinking?
Step 1: Be an FBI stool pidgeon and send an infected document to your Mafia Boss.
Step 2: His custom anti-virus software detects the virus.
Step 3: You are fitted for some new cement loafers.
Are they serious!?!?
just = (My)Opinion.toCents();
Technically is should be called a Trojan, not a virus.
Shh.
Some people have said to use two computers, on on the net, and the other not connected. Encrypt and decrypt on the unconnected system, and use floppy or zip disks to move files to and from the connected system.
But really, as long as the system you read email on isn't doing the actual en-/decrypting, they can both be on the net. Read email on one computer. Transfer files from and to the encrypting system over the network. This keylogging program, Magic Lantern, only works if the machine it infects runs the PGP program. It's useless if only the computer next to it runs PGP. Magic Lantern would still be installed on the email machine, but since it never runs PGP, it can't do anything. It can't perform keylogging on the encrypting computer, even if the two are networked. No need to use floppies.
The army is up in CNN, people. "Observing".
wouldn't it be easy to cut and paste the alphabet and bit phrases into a window, then cut and paste individual letters to log in? I'd think that would bypass the key logger problem. as far as I can tell key loggers have trouble with mouse movements.
Do you know that the amount of money spent worldwide for defense, armies, bombs, etc. is about 500 000 billions? More than enough to feed the whole planet. Then again, all that money spent is taken from our pockets, we, the people.
making an outlook client open anything these days is tough.
The bad news is sooner or later some idiot is going to lable Open Source a terrorist movement....
Idea: Come up with an app that sits on the SMB port (139, is it?) and acts like a Windows box... I believe the word is "honey pot"? One could port-redirect one's firewall to an old 486 running this thing, so as not to overload the firewall itself, and use QoS to keep the bandwidth down... sort of a LaBrea... well, not sort of, I consider ANYBODY trying to sniff around my computers a criminal, badge or no.
--
Keep your laws off my Internet
simply kill the process while launching a tricky "fake" firewall process so the user doesnt notice
set it to kill and replace the firewall when the computers been idle for more than an hour
If you use Linux, please help development of Autopac
<rant>This is so utterly pathetic, I'm astounded that anyone can be seriously considering it. First of all, any person who is thinking of using encryption to get past the FBI is probably already highly security concious, so they are unlikely to have any vulnerable services running on their machines through which they could gain access to the target system. Secondly, send a virus via an email from a trusted friend? Uhmmm... join the 21st century fellas! Everybody and their dog knows how easily an email virus can spread. I wouldn't even open email attachments from my own _mother_ unless I asked for that particular file first. Thirdly, and perhaps worst of all, if the government finds ways around these things, then in all probability, somebody else with less benevolent intentions than the safety and security of the public will also figure it out, and exploit it. </rant>
File under 'M' for 'Manic ranting'
Hey! Who stole my Mac and put this Wintel hardware on my desk? Oh well, let me launch Outlook and see if I have any mail.... Wow, a message titled "I Love you"
-- I Am Not A Terrorist.
Our government is obviously not our servant or intent on protecting any of our rights and liberties whatsoever. Protest now and loudly while you still can.
Most members of congress don't even have email. How could they know that long before this was even implemented, everyone would know, and either have figured out a way around it, or just decided to use something else?
The only thing they accomplished was to turn PGP into a battlefield for people who don't have anything better to do.
Think of the dissinformation we could send the governments way... "yes, Mr. Director we intercepted the email and It would seem as though Mr. Gates has scheduled the sex-change operation for the 25th..."
hmmm...?
Noted member of Congress
In the old days, I'm sure big crime networks used codes to transfer sensitive information, and I bet police spent time trying to crack those codes or find an interpreter. This doesn't seem too different to me.
But that's just me.
Unfortunately, most of the people smart enough to use PGP effectively on a regular basis are the same people who are smart enough to not open attachmentst that they are not 100% sure about.
Besides, if I am receiving PGP encrypted email, then the attachment should be sent to me encrypted, so it will be fairly suspicious if it arrives unencrypted (and ready to run).
--------
The significant problems we face cannot be solved by the same level of thinking that created them. -Einstein
the article states that ML steals crypto keys... slightly different than passwords/passphrases...
:P
think about the entropy difference between 128 random bits and 128 bits assigned based off of a password....
in short, not all crypt uses passwords, thus the key is key....
-- dragonxhero
I received an email with the subject "Good Times", and I opened it. My browser popped open, and sent me to a site that had the headline, "See what really happens 'behind closed doors' when John Ashcroft and George Bush get together." My firewall picked up something weird, but I don't know anything about that, because I was already getting ready to format my disk.
The truth about Scientology, Xenu, and you: Operation Clambake
No matter what they do they can't get at a non-networked box unless they physicaly break in and hack it and then again to retrieve the data (or transmit via radio waves). As for the networked box it never sees anything but cyphertext, no passphrases are used, and anything it puts on the floppy doesn't matter cause even if it gets on the sandbox it can't get anywhere.
Oh sure they could get tricky, do things with floppy boot sector virii that will run in the sandbox, log and save to the floppy, then re-run once it detects a network connection, but to this non-programmer that seems 1) problematic and 2) pretty easy to avoid. maybe even use CD-R or CD-RW.
Comments?
If you can't be good, be good at it!
This is exactly the attitude that everyone must adopt in order to survive the security wars.
Bring on all the renegade crackers and government spys and industry cyber-goons. Their attacks will force us to develop new software, new protocols, and whatever else is needed to ensure privacy and security.
Let's get this all out in the open -- I want to know the full scope of our vulnerabilities as soon as possible. These viruses are doing an excellent job of revealing our weaknesses. It's critically important for us to know those weaknesses in order to properly assess our security status.
Running a client OS is no defense, especially not MacOS- your going to download your email with some closed-source app, and thats when you get trojanned.
On the other hand its possible to build a stripped down linux box running only a command line program like xmail- which you built yourself from source (add openssh and gpg). Plus you'd want a stripped down kernel with only the simplest possible feature set that runs on your hardware.
You could even wrap the box, moniter, peripherals and cables in aluminum foil, if youre super-paranoid
Cant do that with windows/macos or any large graphical modern proprietary os, period, because
you cant trust the os, and you cant trust PGP commercial version.
2. Assuming that this thing attacks known Windows vulnerabilities, I'll just open some random text file, find some characters of my passphrase and copy/paste them into the passphrase window. Try getting a keylogger to pick that up! (Yes, this would be time consuming.)
3. If the stuff is really sensetive, I'd just keep the private key on a zip disk or floppy somewhere (with backups of course.) As many have stated, this Magical Lantern takes advantage of the vulnerability where most people put their private key on their HDD. If the Lantern software is well enough designed, though, it would probably pick up the key as it was used and not earlier/later.
4. Get a Mac and/or run Linux or FreeBSD ;-)
Think about this for a minute (beyond what you've already been thinking, if you've been thinking at all
Various viruses have caused billions of dollars worth of economic damage to countries, both inside and outside the United States. These are costs which are solely borne by the companies themselves.
Microsoft has finally tried to ramp up their security awareness, and default settings, so there is some progress being made, however small. Meanwhile, companies are realizing the costs of viral attacks (and worm attacks) and are at the least paying to fix existing holes.
Now, the FBI comes along and wants to use these "existing" holes to deploy their virus. But do these holes exist? Is this really an option? The FBI would have to be inventing new viruses, or Microsoft would have to leave portions of their OSes open to allow the FBI attack(s) through. Of course, that leaves room for other attacks...
And people like me will either use an alternative OS to begin with (my Mac, or my Linux box) and/or secure their Windows box (and run as a regular use). I do not run virus scanning software on my Windows 2000 machine because I have (what I think are) good security practices:
Outlook is fully patches
I keep up to date on the Windows security patches
I run as a regular user and thus cannot modify system files
Javascript, etc are disabled in my browser
I don't open README.EXE files
So assuming the FBI wants to capture my keystrokes, how exactly is it supposed to work?
Technically I think the idea has merit, but the economic cost of leaving system open for such attacks (from the FBI or script kiddies in Columbia) is going to necessitate patches which will stop the FBI's "Magic Lantern" in its tracks.
... even with an insecure operating system
1. boot diskless system from CDROM which contains image of operating system and encryption software, and your password protected private key
2. physically connect system to network
3. copy encrypted email messages to system
4. physically disconnect from network5. decrypt email
6. shutdown system
(am I missing anything?)
All your 5kR1p7 are belong to us!
All your keystroke are belong to us!
All your exploit are belong to us!
Move all keystroke, for great injustice!
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
OK, so we can presume that the FBI will contact the virus companies (anti that is ;) and direct them to not include heuristic matches for the magic lantern and it's successors but what'll be the legality of us discussing the virii fingerprint within the various forums?
-jhp
/. -- the Free Republic of technology.
Install Linux
Upgrade your kernel to http://www.nsa.gov/selinux/
and you'll never have to worry about the FBI hacking your NSA secured system!
Why are we getting email from some company called "Files By Irene?"
So does this mean it's now legal to send a virus or is this another double standard ;>
So will Norton detect Carnivore plus as a virus and remove it?
Seems to me that our kids will be reading Orwell's 1984 and consider the government described in the book as the "good old days of freedom and democracy".
This is completely illegal. The last time I checked, writing malicious, virus-like code was illegal.
At first I thought that this was just stupid, because no one running a reasonably secure system, keeping up to date with the latest patches, etc, would be caught by it. But then I thought: why rely on already known (and fixed) and other yet undiscovered holes, when you can roll your own?
recently seen in #anti-trust:
*** BillG is now known as GMoney ***
<GMoney> How can we get out of this DOJ crap?
<FBI> I have this "security patch" I'd like you to distributed through Windows Update. Say it fixes some hole using malformed URLs in IE5 and IE6. No one will blink twice. I'm not even sure most XP users can read.
<GMoney> Will you put in a good word for me with the DOJ?
<FBI> Sure.
<FBI> DOJ: Let Microsoft go scott-free, or I post incriminating pictures of John Ahscroft and Hilary Rosen to usenet.
<DOJ> Rokie dokie, baws.
GMoney laughs maniacally.
FBI laughs maniacally.
DOJ tries to laugh maniacally, but chokes on the pencil eraser he was chewing.
*poof*. Insta-hole. Security patches are worthless if you can't trust the source. And yes, this wouldn't work with non-MS OSes, especially decentralized open source ones. I hope.
-Puk
Common sense with computers.
All sensitive Data is to be stored on a computer not connected to any kind of network. The files must be encrypted several times and make sure that the disk is secured.
This is only a reason for more people to use linux. I bet microsoft, symantec, and zone labs are all in bed with the government about allowing backdoors into NAV, ZoneAlarm, and Windows XP.
Scary huh? This is doing more to support linux than any other thing i've heard
How exactly can they assure that users of other countrys are not infected by "Magic Lantern"? How do they prevent infection of other government facilities? What if I use a custom, home made, encryption software? And let's not get started on how illegal (for now) this is...
Foucault's Panopticon, here we come..
What is Foucault's Panopticon ?
The FBI is evil, but not stupid. If they did it the best way possible, then their software probably replaces a key part of your operating system's networking code, so that even if you knew each and every process running and exactly what it does, you could still have their software installed and never have any way of knowing.
r ity.html is standard reading in newsgroups and on websites dedicated to privacy. It is also standard reading in newsgroups and message boards where child pornography is posted. It is probably also known to organized crime and other elements which engage in illicit activities and use computers. It explains in language most people can understand, the use of PGP, firewalls, various encryption and security software, and the threat of keyloggers and trojans and how to use software like ZoneAlarm to secure network access to only those programs you choose to authorize.
After all, it's doubtful that Microsoft would object to the FBI looking at their source code for such a project, it's doubtful that Apple would object--but even if they did, the lower levels of OS X are open-source Darwin--and of course Linux is open-source anyway. It doesn't seem too difficult for them to do.
It seems that if they were to do it the simpler way, it would be too easy to detect. If they installed it like a simple trojan, it would be trivial to detect, particularly by software such as ZoneAlarm and equivalents which monitor all attempts by programs to access the net. In fact, if it is what they used in the Scarfo case and they are using it now, if it were a simple trojan it would probably have been reported by now. People with something to hide know what software to use to protect them from such things.
For example, "Dr. Who's Encryption and Security FAQ" http://www.slack.net/~hermit/ebook/documents/secu
Call me crazy, but I think the FBI would take note of this readily available information and come up with a way to counteract it. Writing their trojan into your operating system itself seems like a damn good way to do this. Windows and Mac users and even Linux users expect certain processes to access the network, so why not exploit that to camouflage an "ultimate trojan"?
There would be only one way to counteract it, and this is mentioned in Dr. Who's FAQ: make detached PGP signatures for each important file in your OS that you'd expect not to change, and use a script to check them against the files each time you boot, or each time you choose to run it. If a file has changed, you know something is wrong.
Of course, this is very cumbersome--how many files exactly should you sign? Very tedious. I got to thinking on this some time back, and came to the conclusion that if you want the best possible security against unauthorized changes to your system, the best way might be to install your whole OS and all your apps, configure everything how you like, and immediately transfer the whole system to one file. Then, strip down your OS to the very minimal parts needed to boot and to check the signature on the "big file" and your stripped-down OS files, then decompress/mount then boot the whole OS in your "container" file. If you have lots of cheap RAM, you can decompress the file containing your OS into a RAMdisk to save some time and make the files less persistent. A lengthy process, depending on how big your OS/apps are, but if you want security there will be a price. This way, every file on your system is uncorruptable, untouchable by trojans and FBI spyware.
I experimented with just that using Windows 98SE, and though I don't know exactly how you'd do it with Linux or WinNT/2k/XP it is definitely doable with Win9x. First I installed Windows and all my apps, then made a Zip file (using no compression at all, for speed of unzipping at boot) of the whole system. Then I deleted the system except for minimal DOS command files and a RAM disk creation tool called xmsdsk.exe and a command-line unzip tool, altered Autoexec.bat to call xmsdsk with the parameters to make a 1GB RAM disk (there were 1.5gigs on the machine), called the unzip tool to unzip the file to the RAM disk, and had the config files boot Win98 from that drive. It took fiddling a bit, but finally I got it right and it worked. When my Win98 booted, in the startup folder was a shortcut to check the PGP signatures of all the startup files and the Big File that the system was stored in.
Not ideal. Quite slow to boot up. You can see why I don't actually still do this; it was more or less an experiment. But it did work. When the system was shut down, the RAM disk went away, and so any changes at all to the system would be undone. If the Big File the system came from, or any of the boot files, were modified it would show up the next time I booted when the signatures were checked. It was unweildy, but it did provide full protection of a sort I can't think how to have otherwise.
So, does anyone else have crazy ideas on how to provide security against such intrusions? Preferably ones that don't require a boot time long enough that you can go make breakfast in the intervening minutes.
Chasing Amy
(We all chase Amy...)
"The more corrupt the state, the more numerous the laws"-Tacitus
Is this program a virus or is MSNBC saying a virus to mean "a really really bad thing to have on your computer."
It says in the article that it only effected spicific targets, while a virus will spread and effect everyone who gets the virus.
Anyways, I would classify this under Trojan Horses. Any other cracker program would work just as well.
I wonder how many gazillions the poor taxpaying US public is getting ripped off of for this little toy.
Please tell us egg troll..who do you work for? Because this is obviously a troll...
Slashdot Hypocrisy at work?
Yet another reason why I'm glad not to live in the Incorporated States of America, or run any propriatory/closed source software.
'Welcome to Rivendell, Mr. Anderson...'
It's been said already, but by far the easiest way to circumvent this is to do all the encryption/decryption on a secure system not connected to the internet and transfer the encrypted data to/from it via physical media.
I've been thinking about this for the last 10 minutes or so, and I can see clear ways, with minimal effort, to have completely secure communication, if you are serious about it. I am betting this is mostly targeted at petty script-kiddies and those slobbering internet paedophiles we hear so much about, not actual terrorists or orginized crime of some other fashion.
That and to impress the American public into some sort of false sense of security: "The FBI is using Trojan Horses, keylogging and crypto-viruses to hunt terrorists! Ooh! Aaaah!!! Wow!"
sic transit gloria mundi
Like this is new? I was involved back about 10 years ago with a program to infect certain, ahh, fire control and command-and-control systems with a virus that was surreptiously inserted into a certain piece of well-known software running on a certain well-known operating system. It's sole mission in life was to worm its way through a network, looking for certain signature tasks running in memory, and perturb the I/O stream in such a way as to be difficult to detect the tampering while at the same time inserting, um, rather dubious data into the system. Say, for example, that you have a computer hooked up to a fire control radar, and you want to insert "bogeys" into the system at certain times (such as when the radar detects what could be interpreted as a plane coming in on an attack vector). Suppose, for example, that said radar's data is displayed on a certain computer. Write your virus, insert it into the system, and volia ;) Instead of one or two planes you see on that attack vector, you now see hundreds - or none.
As you well know, Java inventor Patrick Naughton, an ADMITTED PEDOPHILE developed secret software for the FBI so he can get out of jail sooner and be out on the streets molesting girls again.
ANYONE WHO MODERATES THIS DOWN MUST ALSO BE A PEDOPHILE
Please check my facts and moderate up
You are correct, sir. As for the "I trust the government to only investigate real criminals" crowd, just do a search on the term "Co-intelpro", look at the search results and then tell me you still believe that. The problem is that this isn't intended to be used on real criminals, it's going to be used on suspected criminals - which is a much more subjective thing. Anyone is a potential suspect - all you have to do is have an opinion that those in a position of power feel threatened by.
Ah, now it's a lot easier to see how Justice and MS came up with the settlement deal. Coincidentally, MS seems to be angling for legal protection against disclosing their vulnerabilities. I'm sure they'll find a receptive audience at DoJ
Quick! Everyone install this trojan and start typing as much as possible... Maybe we can /. the carnivore box :)
It's called a laptop computer.
Microsoft just put in a back door for the FBI to load a kernel module that won't show up in the Task Manager. Why should they make it so you have to do anything to get the key logger running? Nefarious kernel modules are the perfect way to do this and are well known in *nix cracker tools. Take a look at line 8,778,204 of the Windows XP code to see what I mean......
If the government gets $Billions from the Tobacco companies, cigarettes will be around for a while. If the Government needs one computer OS that they can get into when they want to, they will let Microsoft continue to monopolize operating systems.
Power tends to corrupt, and absolute power corrupts absolutely.
Obviously, speed is of the essence
(Note: for backround info on this net meme - look here.
[Insert pithy quote here]
I'm assuming a good DMZ would take care of problems such as these, as you might just as well assume that the local machine has been compromised.
Although sometimes the dmz machine gets hacked - personal experience here.
I still don't know how the machine got hacked, I restored from backups as soon as shit started going weird.
First question - anybody have some real good links for setting up a DMZ (I got hacked and I know I followed the directions exactly on one site)
Now, assuming the story is not bullshit, how would one defend against such an attack. I've heard several good ideas, such as boot/run from a cdr, creating a zip image of the HDD and restoring from it if something changes, etc...
A software solution would be really great, especially if it was an open source program.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Any crypto system you use that is done by humans is going to be insecure (short of using one-time pads). When was the last time you successfully multiplied two 1024 digit numbers? If you want to see a historical example of this just look at the french resistance targets on D-day: Telephone and telegraph wires were one of their most important objectives. The reason being it forced the germans to stop using a secure system (i.e. a signal on a wire the allies couldn't intercept) and use an insecure system (encrypted radio signals that could be intercepted and decrypted). It was a major source of inteligence about enemy intentions and troop movements during the invasion.
I think this has to be the most rediculous excuse for "going after terrorists" ever concieved.
---------
Fuck you, motherfucker. Fuck yous to: Rob "Taco-Snotter" Malda, Homos, Kowboi Kneel, and RMS.
I direct you to my message of Security Risk Karma Points about vacuum-cleaner sweeps.
One line blog. I hear that they're called Twitters now.
Of course the old spy game still has a few twists. Try this on a proper hacker and it'd be very interesting to see the results.
;-)
I for one would enjoy spending quite a bit of my time reverse engineering the thing just so I could send them dummy information.
It's an old war trick. Break their code and feed them iffy information. They're so trusting of their technology most of those idiots wouldn't even see it coming.
This game works both ways
Can you cite an actual legal precedent for this? My understanding of the law is that you have a legal right to defend yourself, even against law enforcement officials, if you have a reasonable belief that they intend to do you harm. For example, in California it is legal to resist arrest if the arresting officer intends to kill you. Of course, proving the intent of the officer in court could be difficult...
An anonymous coward (or, really, anyone on Slashdot) actually gets it!!
Thank you!
DFL
Never send a human to do a machine's job.
I've heard that some Government agencies do intelligence for the sake of American corporations. (i.e. if they find out about technology that a corporation in another country is developing they may pass it on to an American corporation). The question is, couldn't American corporations use this to spy on other American corporations? Does anyone know how likely a US agency would be to do a thing like that?
___
It's the end of my comment as I know it and I feel fine.
The government has finally started to produce good solutions to society's problems, in a timely manner and on budget. I believe that such an email virus, which would obviously function only under quality Microsoft Windows operating systems and Microsoft Outlook products, presents such a simple, elegant and utterly unbreakable solution to our nation's crime problems that soon, all criminals will flee the country and go to Zimbabwe instead.
Of course, when I speak of "criminals" in the previous paragraph, I'm referring to none other than Microsoft Corporation.
Don't you mean "dumb FASCIST FBI"? Or perhaps "dumb totalitarian FBI"?
Surely they couldn't be planning on replicating it like a virus. Striking out a random and invading the computers of people they don't have authorization isn't just ethically suspect, it's a federal crime under current and highly visible law.
C//
It just occurred to me that the great deal Microsoft just got from the justice department could have included some secret quid pro quos, many of which are consistent with Microsoft including some ultimate FBI-enableable backdoors.
Note that the recent anti-terrorism legislation (USA-PATRIOT) has an express provision exempting negligent software from the Computer Fraud and Abuse Act, a bizarre provision to have thrust into that bill unless someone was negotiating protections from civil litigation for providing an undocumented backdoor.
Sure, its a conspiracy theory, but not a bad one. This package was just bundled up too prettily to be an accident.
How the F**K does the FBI know the criminal's email address in the first place to send this virus/trojan too?
the question that should be asked here is:
HOW DO I GET MY HANDS ON ONE OF THESE?
and
What platform/os/hardware is carnivore running on?
This is beyond the reasonable powers that our government should have to monitor our lives. I don't believe that the Government is wrong to be able to wiretap a person per the USA act, as opposed to just tapping one of their devices. I don't mind that the government can intercept plaintext emails and archive them. Echelon, well, even though it exists, what kind of storage are they keeping down there? The entire textual communication over the internet, one day is several hundred TB worth. The NSA would be spending more on EMC2 storage arrays then their budget, daily.
I do mind that now the FBI has the power to remotely install keystroke loggers to gather encryption passphrases that are emailed to a central station. This rings similar to what the RIAA wanted to do - enter into computer systems and make sure there's no illegally copied material on them.
Since when have the "shall not infringe" and "Shall make no law" of our constitution been able to be warped into "shall do whever the hell Dubya and the Criminal Institution of America, and the National Socialist Agency, want"
Sometimes I'm ashamed to be a U.S. citizen. Really.
AN 1 Nov 20 agent213@fbi.gov (335) Hot Porn!
[enter]
Attachment: sexypix.htm.exe
Damn, I can't run it.
-Legion
is that its physical position is such that it is *surrounded* by peers which, by sheer numbers, will insure the panopticons demise should the peers join forces to DOS his node(s)..
Aren't these goverment agencies supposed to be co-operating. Why don't the FBI just use the backdoor that the NSA has already gotten into Windows? This seems to be a duplication of effort here - first WINDOWS_KEY and NSA_KEY, now FBI_KEY, CIA_KEY and what about the states? Surely they should have their own keys as well!
What happens when the FBIs little magic lantern grabs the passwords from a users computer outside the United States?
I don't mind a extra security measures applied to the net, but the US has to realize that it is not long the be-all end-all of the net.
On another note, how do I protect my porn passwords from those deviant J Edgar Hoover clones?
Remote, automatic updates like Microsoft's automatic update, Norton and McAfee anti-virus updates (talk about ironic), Compaq automatic support, Debian, and (commercial) RedHat are vulnerable to this. Governmental agencies can easily carry out man-in-the-middle attacks against specific targets. Even if you guard against that with secure key distribution, governmental agencies can quietly compromise trusted sources ("Mr. Gates, you have to ship this virus-carrying update; it's your patriotic duty", or "Mr. Debian package maintainer, you must include this binary in your package and sign it").
What can people do about it? First, use intrusion detection software: is your computer making connections to funny sites by itself? Are other unusal patterns of activity occurring? Have binaries changed unexpectedly? Second, use many sources of information, not just one "secure" one. For someone to figure out how to modify package signatures consistently received from multiple different source via multiple different means in order to hide their hacking is rather difficult. Third, if security is important to you, quarantine updates and wait whether other people have detected compromises.
In fact, systems like Debian and RedHat should really make it much easier to hook up to multiple source of package signatures (via E-mail, custom scripts, etc.) and allow people to verify packages.
What a way for the government to get feedback on it's top project. Release little tidbits of information, and then let people spill their beans about how they can find a way around their spy software. No doubt that the people working on the project are geeks and might actually read Slashdot. It only has hundreds of thousands of users. There are a bunch of users who says that _they_ can "beat the system" and they detail the why and how of it. Way to help the US government!
How many straws will it take before the people of the United States, the people who take pride in living in the "best nation on Earth", the "land of the free," stand up and say ENOUGH?
Is a sense of security worth allowing Stalinist Russia to be reborn in America?
How many straws, America? How many?
Someday, you're going to die. Get over it.
>you'll never have to worry about the FBI hacking
did you look at the URL you typed in nsa.GOV it's a US government website. I would never ever trust the US government with anything, not even Green Jello.
Recompiling from source, with new class names, ought to fix the problem in no time.
Nah, a decent hex editor should be enough do the trick here. Remember, window classes are just LPCSTRs.
It seems to me that the only way to be truly safe is to build a clean system then ghost it. keep your data on a seperate drive, load up the clean image everyday and change your encryption keys immediately after the load of the clean system.
It's illegal to propogate a virus unless you're the FBI?? Hmmmmm...
.000000017 of this total.
Question...don't these clowns exist to ENFORCE the laws as opposed to breaking them?
Aren't they charged with investigating and prosecuting crimes as opposed to instigating them?? If you ask me, the FBI is smelling more and more like the KGB every day.....
The irony isn't lost on me....that Russia is becoming more free while at the same time the USA is looking more and more like a police state.
All this to do about homeland security is a bunch of crap! The way I see it, the terrorism was done by no more then 100 - 500 or so people in total.
Is it right for our govt. to then take away the rights of 250 million people? Remember there's over three billion people in the world. 500 people represents
This whole thing is a scheme for the federal government to exercise control over the people..and the Constitution and Bill of Rights be damned!
To the FBI, NSA as well as the CIA...GO SCREW THY SELF! Why do WE put up with "law enfarcement" that has become dictatorial and opressive in action/s? Why worry about simple-minded guppies bent on creating hype, hysteria and extreme paranoia over what will most certainly become the above-named agencies own "waterloo", by illegal actions taken by those agencies, all it will take is one deep pocketed person or corporation to bring everything out into the open,where the cockroaches of terrorist law enfarcement live/s to send them scurrying back into the shadows of secrecy and deceipt awaiting their day in "court-fed". Does anybody truly understand that one level-headed senator being spyed on by ANY agency will bring a nation down upon those doing the spying, and DEMAND changes be made NOW and those that are responsible be sent to prison for XXXX years as well! How many congressional "hearings" would be needed to jail the criminals...ONE, that's all, because the people being spied upon will DEMAND they live in prison for treasonous acts of "social terrorism" against the nation as a whole. Who gave ANYBODY the "right" to spy on anybody without a warrant or court order? NOBODY! A virus posted by the FBI would be seen as an act of sabotage willfully released upon the people without court order/s OR with a reason. Acts such as this WILL get noticed the same or the next day for sure, either way, it will ALL be public in very short order, and those inflicting the damage will be held morally and financially responsible for every single occurrence of viral attacks....guaranteed! Word of mouth, assisted by the media will FORCE CHANGE in the halls of the nation's legal injustice system/s. If it's ILLEGAL to knowingly spread a virus to computer systems, "they" too, WILL be held for computer crimes like Mr. Minick was, as well as Dmitry Sklyarov and many others! Rights are RIGHTS. NOT priveledges that can be granted or denied! Enumerated MEANS LIMITED! LIMIT government to what is LEGAL, and no more! ALWAYS QUESTION AUTHORITY, not doing so will get you killed!
206.39.38.2, DDN-BLK-36, DOD NET INFO CENTER. 800.365.3642 206.36.0.0-206.39.255.255 NET RANGE.
Does anyone else find the blatent hypocrisy so common in the us government to be painfully annoying? they try to make cracking encryption illgeal (dcma/dmca whatever), then they pull out this, and its legit? further, they make virus writing a punishable offence, and this also makes use of virus like tendancies (perhaps. could be a trojan). wtf? this is similar to speed limits where police go much faster to make exciting chases. while technically, they are not supposed to, very few are going to stop them, or even suggest it. this is yet another reason to use linux; no complaints there :^)
where does it end? with the way things are going, it looks like orwell was a mere 20 years early.. welcome to 2004
All this subtrifuge and secrecy is annoying! Where is Jackboot Janet when you really need her?
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
No shit, Sherlock. He's name is fucking "egg troll", and you still thought, "Gee, I better feed him! He might not be a troll, and even if he is, a troll's sole objective might not be gaining as many responses from retards as possible."
Seems like a M$ problem, hope you have a Virus scanner.
Is that Zane Haxton of Seattle, Washington?
That is why the Rodney King 5 were found "not guilty" in their (criminal) trial: They successfully argued that they were, in fact, following police department policy. They were not acting as "individuals", and were therefore not guilty of any crime.
As long as the thugs are held to standards in the government courts to have been advancing the interests of that same government, they will be adjudicated as having done nothing "illegal".
And if violation of the DMCA is upheld even once, the law will be quickly revised on the basis of "National Security."
Remember to say "Hail Furer" when presenting your photo-ID's.
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
"The usual anti-virus precautions"
... "entering a key without the keyboard"...
Won't work. This sort of software already exists in the corporate world, for PC "support". Have a machine at work? You may be monitored already. The tool can be installed for "stealth" operation. No icon, no task list, no visible hint. Anti-virus tools aren't going to mess with useful support software, so leaning is not required.
"Open Source"
At least you have a chance. There are modules that can go "stealth" in Linux, but if you're careful you can stay in control. Not so closed source/MS Windows.
"could rename/recompile PGP"
What if there were a program that logged every Windoze message/function call and maximally compressed it? I'll tell you... You'd have that corporate tool; and your entire doings at the machine would be visible to the reader. Everything. Every image you saw, every scancode generated, every position your mouse was in - even the track it took to get there. Oh, and the datastream runs well below 9.6Kbs, 1200-2400 baud is typical.
"any criminal with the money to hire good IT"
Not just criminals. There are volumes of history where people doing data collection direct a few competitive tidbits to their friends. Or, collecting a nasty detail, or two, on their political enemies. All "for the good of the cause", you understand.
".TXT file on a floppy"
Now you're starting to get somewhere. "Something you have" is a strong factor in a good security scheme. And, bulk data I/Os are hard to forward without being noticed (Try ftp'ing every disk block you read or write). But there are better things to carry around than a floppy. Something easily and completely destroyed is handy. Smartcards, maybe, but they're even more close sourced and propriatary than Windows. I sure as heck won't trust them until they're reviewed commodity items running publicly vetted bios software.
You know something useful, though. They have to collect the data. So...
1) High bandwidth operations like painting a hi-res image (be warned, they will be denatured for transmission) and volume disk type operations can't be forwarded without risk of being noticed.
2) Watch those transmit lights. No Winbloatums.
Building a secure system for data exchange isn't easy when any part of it is out of your explicit control, ever. In fact, it's pretty much impossible. Remember, if they can catch you typing the "key", they can catch you typing/reading the clear text message too.
Best plan? Laptops/Palmtops running open source software. Never leave home without it. Make sure it "self destructs" if tampered with.
Let me first say this: I read the article.
Now I think this is great for the FBI. I firmly support the idea (as long as it falls under the fourth (?) amendment).
I believe that this is another step in the cryptologists vs. cryptanalysts war. Obviously this is a shortcoming somewhere along the line for those of us who wish to encrypt our stuff... but hey, adversity is a synonym for progress, right?
If we all get outraged, then our response is wrong! This is a boon, exposing a weakness, giving us a lamp on how to improve.
Don't forget that.
No, you're missing the point. If the FBI could get a warrant on you, they'd just require you to give them your passphrase, or just subpeona the information that was encrypted in the first place. The reason that the FBI needs this is because they know that they can't get warrants for what they want to do, because it's illegal and they have no probable cause for sticking their noses in your business.
You know that if the FBI can't get a warrant for the information in the first place, they won't be able to get a warrant for this either, so what would they plan to do with it, other than break the law?
Join the Slashcott! Stay away entirely Feb 10 thru Feb 17! Close all tabs to prevent autorefresh!
So when you get the attachment... you better flush your stash...
In other news today, the FBI was arrested en masse for violating numerous newly legislated anti-terrorist laws prohibiting compromising remote computers...
And all were summarily executed by the governing military tribunal of the D.C. district.
At least you can still publish "ideas" on the net.
Bill C-36 will make it a thought crime to write terrorist thoughts on the net, among much other sweeping restructuring of freedoms. This is actually the least of my worries. For quite some time our prime minister wanted this to be permanent legislation. At least now we only have 5 years of authoritarianism at hand. At that point hopefully the Canadian people won't be so blinded by their anger at people on the other side of the earth that we will help care for our own freedom, rather than trading it to Afganistan.
Read it and weep Canada. The Taliban may be defeated soon but they shall win posthumously, even though they've never struck our homeland. They will take what they truly seek: Our freedom. This is a truly international victory for the enemy.
Nothing much makes me happy anymore, except that a few wartorn cities in Afganistan have a semblance of freedom now. I feel sad about the lost souls at the WTC, the children in Afganistan who've never seen freedom, those there who lost their freedom for so long. And now I feel sad that writing this, with words like "WTC", "Taliban", and "authoritarianism" I may soon be flagged as a possible Taliban supporter along with the many others who have carefully suppressed their rage at the Taliban in the pursuit of a logical end to all the fighting.
I submitted this story (with more links and a better writeup with less opinion) to slashdot a long time ago but I guess they have better things to do than help defend the liberties of countries outside America nowadays (ahh, I pine for the days when slashdot reported on stuff like our CD-R piracy taxes and such).
And I thought only Nixon kept lists of names.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
So, if some anti-virus house like Norton or McAfee updares their offering to be able to screen-out this FBI virus, do they go to jail for obstruction of justice or some DMCA related crap?
Nice try. If they HONESTLY believed they were doing the RIGHT THING, then they'd at least try stay within the law. Be those the routine "laws" for the law enforcement types, or that whole Constitution thing for the governmental types.
Rather, the rule is to make massive and contorted efforts to end-run, avoid, evade,ignore, and simply mis-apply them in patently inappropriate ways.
That is NOT the MO for honest people.
Of course there is always the possibility that the terrorists will reverse engineer it, and use it to spy on all the Computer the US government went to such great pains to infect...
This sig is licensed under the Free Sig Foundation License, you may re-distribute it as long as you retain this notice
Fuck Zane.
That is fucking awesome. Way to go. I applaud this.
- If youre worried about the american AV-firms being leaned on or something like that i'd suggest F-Secure, Finnish high-tech AV-detection and they also have encryption products etc, check it out.
- "Is Linux Safe?" has come up several times.. If you are really paranoid you should use OpenBSD. It's about as secure as an operating system gets AFAIK. Personally i'll stay with Linux as I have for a long time.
- It's really really scary to see the amount of reports of new laws on "anti-terrorism" and how FBI etc is getting more and more authority. It's kind of a dark future we're moving into - I hope they realise what they are doing to basic freedom before its too late.. Im glad that Europe hasn't gone as far (yet?) though..
Problem is, as government-funded tools filter out into public networks it will spark a discussion of these tools in a public forum, which once they are decompiled and attack modes are diagnosed, will give tons of people the ability to launch more sophisiticated attacks. Either it's someone who reengineers it and hands it to script kiddies, or it's other organizations or nations which will feel an imperative to grab the next escalated technology level.
Consider: the article says "levels the playing field with criminals" or something to that effect. It also means the FBI will use tools criminals use. It is easy to see this becoming espionage when used against a foreign firm by the FBI or by someone else who has appropriated their technology.
Few firms have virus-busting firewalls or antivirus packages which can handle new attacks before they cause damage or hide in archived material. Perhaps the scariest thing is that if a new variant is created for a specific "sting", it could quickly take over many computers over a large geographical area (consider Code Red graphs) before antivirus manufacturers or the public at large come up with a patch. In the past there has been a chance at getting a patch before infection.
But with the public funding a combination of email hole, pc based server, network scanner, key logger, and encryption program defeater, it seems that we are *very* quickly going to enter a much more dangerous situation than ever before.
It is not possible that this technology will never be misused by the government.
It is not possible that this technology will remain in the hands of the FBI.
It is not possible that this will not accelerate worldwide efforts to provide more and more dangerous security-breaking software/services.
Because it is so cheap to develop this kind of a weapon, it is my opinion that it is 100% likely that terrorists, multinationals, and national security organizations around the world *will* coopt this technology or will develop something identical to it (or more powerful) on their own. This is the part that scares me. No more Net! Who will ever install a binary from a public server? Who will ever trust interactive content and the plugins which it requires? Who will be trusted to hold the keys?
The FBI is moving a physical wiretap capability highly limited by timing and resources, into a software wiretap regime of high speed, exponential viral growth, widespread destablization of security prior to a court order, and extremely low cost of deployment.
This attempt to coopt the entire networked computing base as a wiretap infrastructure is the most dangerous force I can identify to the world economy and spread of the Internet in all facets of life. It is very hard to have reasonable security for most people at broadband speeds, but one could be forgiven for hoping that problems would be solved in time. Not when the crackers' growth metric takes off exponentially and leaves pro-security forces behind.
I don't think I'd mind if this was used against the people who have attacked the U.S. In fact I'd be surprised if something more powerful wasn't used already. But now we are going to start getting a trickle-down of progressively military weaponry operating silently in our homes.
The cat is out of the bag.. and the technology obviously already exists. The only choice we have is to promote some kind of open source, open science project which could have some hope of markedly improving security in general, could dampen the effects of for example thousands of concurrent Magic Lantern - style attacks from every part of the world. To me, an open, international project is the only way to protect computing in the future.
The FBI already has plenty of tools, and there is no reason it can't improve its cyber attack capability without building such a dangerous system. I certainly don't want to protect the mafia. But unless proven otherwise I think we have to assume that things will get worse all around before they get better.
If you want to see a simulation of the "gray goo" doomsday of nanotechnolgy, simply wait a few months for the next wave of network pathogens.
We will not be safe until we have the U.S. and other governments on the side of the public, with a law against cyber-germ warfare and a well-funded infrastructure to combat cyber-pathogens which do appear with some kind of human and computer based immune system before we enter the age of the network-borne pandemic.
i guess some todo lists are going to expand...
7.30 get up
8.00 go to work
8.02 check email
8.03 reverse engineer fbi trojan
8.10 spy on everybody an his mother
.
.
.
18.30 be happy to be a l33t FB1 5upp0rt3d ha>0r
nice...
And this does only run on Windows?!
Is this Slashdot or what?
goto NULL;
We all know the army will be coming around to collect everyones computers in a few weeks, so this virus thing isn't too important.
Remember the requirements also state you must wear a beard from now on too. So start growing one, or you'll be in big trouble.
Thanks,
The FBI
Buy two computers and a floppy. Label them "NET" and "SECURE". Do not connect the secure computer to network. Write and encrypt everything on the secure computer. Transfer via floppy.
Or read your mail in some old simple mailreader (Emacs mail mode?).
...sorta. Order tends to chaos. Government tends to authoritarianism. (Yes, I know that doesn't work - it should tend to anarchy. Oh well.)
Name a single country in the world that is actually becoming *more* democratic. I bet you can't.
Wont this just mean that you should encrypt/decrypt your data on another pc (perhaps a palm/psion handheld) and copy it onto your network machine? Or just store your private key file in an encrypted file/part of your hd?
Out of curiosity and just how it fits in with all this, I use a voice recognition security system on my two main computers. What do I need to watch out for.
Does this fall into this obvious intrusion of freedom by a so-called protector? It just annoys me that they can do this and suddenly since it is for some better good or something, its ok. Thats what freaks me out.
I might as well leave all the doors unlocked and open.
'/dev/wit' is not available.
Never open a email with subject "Good times". it is a virus. send this to all newsgroups, all the people on your adressbook, and shout it out on /.
Goodtimes will re-write your hard drive. Not only that, but it will
scramble any disks that are even close to your computer. It will
recalibrate your refrigerator's coolness setting so all your ice cream
goes melty. It will demagnetize the strips on all your credit cards,
screw up the tracking on your television and use subspace field
harmonics to scratch any CD's you try to play.
It will give your ex-boyfriend your new phone number. It will mix
Kool-aid into your fishtank. It will drink all your beer and leave
its socks out on the coffee table when there's company coming over. It
will put a dead kitten in the back pocket of your good suit pants and
ide your car keys when you are late for work.
Goodtimes will make you fall in love with a penguin. It will give you
nightmares about circus midgets. It will pour sugar in your gas tank and
shave off both your eyebrows while dating your current boyfriend behind
your back and billing the dinner and hotel room to your Visa card.
>
It will seduce your grandmother. It does not matter if she is dead, such
is the power of Goodtimes, it reaches out beyond the grave to sully those
things we hold most dear.
>
It moves your car randomly around parking lots so you can't find it. It
will kick your dog. It will leave libidinous messages on your boss's
voice mail in your voice! It is insidious and subtle. It is dangerous and
terrifying to behold. It is also a rather interesting shade of mauve.
Goodtimes will give you Dutch Elm disease. It will leave the toilet seat
up. It will make a batch of Methamphetamine in your bathtub and then
leave bacon cooking on the stove while it goes out to chase
gradeschooles with your new snowblower.
My impression is that people are too technocentric here :). I think it is more relevant, under what circumstances, by what legal procedures, under what supervision tools like these get used. Law enforcement has always tried to use latest technology and carnivore, viruses, electronic bugs and laser-microphones can all be used to intrude into your privacy. What worries me more is the possibility of these things getting used too easily, the data being gathered being stored too long, nobody supervising and controlling the people using this. It seems that lately exactly these legal issues are at stake in the US (and also here in Europe), no matter what technology they use.
Everyone seems to think that using Linux, GPG, or other open source/non-MS software would be an easy way to escape such an attack.
Isn't the opposite the case?
What's stopping the FBI from *contributing* to such a project? All they have to do is submit an innocuous-looking patch which just happens to include keylogging! Or what if they released a new open source encryption program which is "invisible to FBI surveillance"? If their code was sufficiently obfuscated, I doubt anyone would catch on quickly.
The Feds aren't stupid, and I think they'll learn quickly enough that Open Source is by no means synonymous with Security.
What group do you think is a greater threat, wackos with guns, bombs, anthrax and kamakaze pilots, or an federally funded and empowered organization intent upon undermining the freedoms and rights that are each American's by birthright?
I don't know about you, but I fear the latter far more than the former. Two skyscrapers, a government office building, a handful of airplanes and a few thousand lives are insignifcant in comparison to the legacy of freedom that has been passed down to us. We can either be the keepers and protectors of that legacy, or we can be neglectful and discover that it is no longer there one day and that our once noble nation has become a police state, which will you choose?
The FBI needs to be reeled in hard and fast and taught a history lesson on exactly who is in charge in this country. We the people run this show and if the FBI is going to be a menace to the people then the FBI can easily be demolished. Never should the people live in fear of those who are supposed to be their servants and protectors. The day that happens is when the FBI becomes the world's foremost terrorist organization.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
... is that unless the FBI are playing a very deep game, then they cannot crack PGP directly. Of course if the NSA had made a major beakthorugh in factpring, they probably wouldn't have told the FBI, but I guess it's still something...
and realy InfoWorld gets a lot of ad revenue for microsoft and others with MS compatable software.
Their benchmarks have not been universaly reproduced by other testers, maybe what they are realy saying isn't so much that its slower, but that it could have something like this in it.
Apocalypse Cancelled, Sorry, No Ticket Refunds
just click no whenever you get this window popping up, an youll have no problem.
....and patent it.
"During times of universal deceit, telling the truth becomes a revolutionary act" -- George Orwell
Sorry to inform you all about this, but the recently passed "Anti-Terroism bill" makes it easier for the FBI to ask england to get information on a suspected criminal, because now evidence from a "foriegn" nation is admissable in court no matter how it was retreived. so you no longer have protection against an illegal search, because our government just needs to ask someone else's government to do the breakin for them.
Also if you read the new Anti-Terroism bill you will find that the wire taping rights have been expanded, and this might not be illegal anymore.
for more information on the homeland security act check out aclu archives
Isn't there a little irony here in that the CIA is contributing
a hardened secure distribution of linux while the FBI is at the same time
pursuing this virus based scheme? Hmmm.....
This is a breach of one of the things in your American constitution, isnt it?
Privacy etc?
This is a not a special software itself. such a lame way to obtain private keys. snoop into someone pc and obtain the private key. clearly an intrusion into people privacy. if they wanna do it, do it from the wire itself and crack the packet
so to you guys using software keys, think again, use smart cards and hardware token. the friggin feds will have a hardtime dealing with that and thats one idea why the gov doesnt wanna listen to mcnealy and ellison
How much does Microsoft pay you to post this bullshit?
Now I understand why the feds were so insistant that the Scarfo bug fell under their search warrant, and no wiretap warrant was needed. If no agent visits the premises then presumably no search warrant is required. And Scarfo establishes that no wiretap warrant is required to keylog a suspects pass phrase. So my bet is, this thing will not "phone home", but save the pass phrase on the victims hard drive. When the feds come, search warrant in hand, to collect the computer, they just happen to find the pass phrase sitting in a hidden file.
Now I'm starting to feel paranoid.
You are a trusting person.
How do you know that windows isnt simply notifying the trojan anytime ANY password Edit-box(where your keystrokes turn to *'s) gets keyevents?
It wouldnt be hard for the GOVERNMENT to get the specs the need to setup a WINDOWS HOOK in software. They may not even care if they have to sift through some of your other paswords besides just the PGP one.
Dont underestimate the gov'ts ability to get one weeks worth of sloppy programming done.
And who the hell said you'd need to change encryption schemes? If that were the case why would they *bother* with keyloggers?
I have to agree with a previous poster that it does seem inviting to have an "arms race" on the Internet. Three things bother me about this, though: 1) the feds are doing precisely what they are supposedly employed to protect us from. Lately we have been having a lot of examples of government which isn't really for the people. Some of the measures going on, I can understand and possibly even support in the name of national security, but others are way over the line. 2) it seems a very ineffective tactic, since it's already a widely-known plan (it's on MSNBC, isn't it?), and I'm sure terrorists or whoever don't just confine their readings to terror weekly or whatever online periodical. (but even if they did, don't you think it would have the article? 3) as the article points out, "The best snooping technology that the FBI currently uses, the controversial software called Carnivore, has been useless against suspects clever enough to encrypt their files.", so you really think a terrorist isn't clever enough to avoid running a trojan e-mail? They learned how to fly planes... training in the tools of their destruction. If a computer is involved, they will certainly know how to protect it from intrustion. This seems exceptionally pointless, and the only people who have things to lose are precisely those who probably aren't doing anything wrong.
and land of the free...
Once we get a hold of one of these FBI viruses, we can figure out where they send their data and take those servers DOWN.
http://www.eset.sk/ (page in slovak)
http://www.nod32.com/index.html (page in english)
hany
to avoid all the hassle of working how the bloody thing is doing what is doing, just add a couple of rules to your firewall and stop all traffic to da FBI all together, err you do have a firewall dont you???
isss da efbeehigh!
you're right. all those questions above are just fake questions. the only question that is real is whether or not someone could get a worm back to the FBI. good job in pointing out all the fake questions. bravo. what would we do without you.
First off, this is a trojan horse, not a virus, since they are target a specific computer.
The article doesn't mention which systems this will impact. My guess would be that it will follow the pattern of commercial software: first Windows, then MacOS, then possibly other OSes. But it depends on the demographics of their targets. I could be wrong, if organized crime prefers Linux or BSD (for all the reasons picky paranoid people pick *n?x).
My guess is that they are targeting the software at people who just install PGP on their machines and think that's good enough. Folks who install tripwire, inspect their kernel source, or even just regularly install vendor patches will require a personal visit to bug the keyboard.
In itself, this software is no different from them tapping your phone, bugging your house, or other activities they can get a court order to do. It does have a number of side effects, though. First off, any tech-savvy person receiving this bug would (1) know (s)he is under investigation, and (2) come into possession of sophisticated snooping software. I wonder if the FBI is considering how to limit the use of this software by the people they distribute it to!
Finally, the real problem with this and other snooping technology is the problem with all software-- verifying that it does what you think it does. Even the most tech-savvy judge won't have the sophistication to verify that the code only captures PGP passwords. Then again, they also give warrants to snoop a house without knowing for sure that the agents will just look at person A's stuff and ignore roommate B's.
(A) Use a biometic info system in addition to the password (i.e a fingerprint device, which are pretty cheap these days).
(B) Use a challenge/response authentication system, like S/key. In essence trating your keyboard as part of an insecure network.
* Code Red style propagation allows for very large scale deployment
* Data sharing with DMV
* Valutraq - advertising based on what is found on a subject's system.
* Automatic Ministry Of Love dispatch in the event of Thought Crime (TM)
* Tracking in devices attached to mobile phones with GPS support
It's a great time to be alive.
trilucid: who's there?
knocker: FBI
trilucid: go away.
knocker: what's that, house on fire? your computer started it? who cares, we have a warrent for your arrest for treason, deliberate acts against the US government.
oh dear, that's not funny.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
The most objectionable thing about Carnivore is that I'm paying for it. It sucks to think that I'm paying my government to spy on me. At least that's not what I think of when I see the monthly withholding.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
What if one of these people who has the dubious distinction of receiving this attachment forward it on to someone in another country... and it ends up in a government office, quietly forwarding keystrokes on to the US Government; does that constitute spying? Does that mean that the person who forwarded the attachment needs to worry about being picked up in a dark van by masked men and whisked off to a foreign power to stand trial on charges of espionage? Will the US government lift a finger to help?
My belief is that if I'm not doing anything wrong, it's not going to directly affect me... in fact certain types of surveillance, such as cameras in public places, could even prove my innocence, but this is too powerful a tool for someone NOT to abuse.
Technically... unoriginal, but very cool.
Politically... stupid.
Morally....... questionable.
Will the FBI prosecute itself for damages and "intangible losses" ? Heck, if they can arrest someone's ass for writing a "circumvention device", I want the right to imprison a fed for installing a government-sanctioned security circumvention device on MY PROPERTY!
I say this thing is a hoax.
-Billco, Fnarg.com
Nobody has asked the important question: Is it themable?
A deep unwavering belief is a sure sign you're missing something...
People wake up ... do you honestly believe they will advertise what their new snooping mechanisms are!!! The real people involved will be talking with the chip and hardware manufacturers etc. You will never know what's going on! You fools let them pass these draconian laws ... The terrorists won they took your freedom from you!!!
er, it's http://technick.net/pinouts.php
Any details released by the FBI / CIA on one of there projects will be largely inaccurate.
It's known as Grey information in the trade where you mention some of the technical facts as how it is supposed to work and negelect to mention others. I.E it only works on PGP , when it's actually keylogging everything from bootup.
They know this kind of stunt is going to attract attention so deliberately give seemingly plausible info when in fact there is only a grain of truth in it.
perl -MIO::Socket -e 'IO::Socket::INET-new(PeerAddr="some.windoze.box:1
This newer article http://www.washingtonpost.com/wp-dyn/articles/A337 1-2001Nov22.html says McAfee contacted the FBI to make sure their software doesn't alert users to Magic Lantern..
this is off topic, but curiosity is a virtue i happen to have.
.sig say?
what does that
.
It seems that FBI officers knew well in advance about the terrorist activities regarding Oklahoma, 9/11 and on-going events; the higher ups forbade FBI officers from shutting the terrorist cells down. Sounds amazing, but the lead lawyer responsible for the Clinton impeachment, (David Shippers), is representing FBI officers who are outraged by the corruption which allowed the terrorist actions to proceed when they could easily have been prevented.
Who is David Shippers? Here's a brief link explaining.
And after you've glanced at that, an interview with him regarding the above claims.
-Fantastic Lad
Don't get me wrong, I think we need to be tougher on crime, but writing a snooping virus is not going to help at all. Shame on Mcafee, kudos to Norton (for not cowering to Big Brother yet)...
Think of the number of people involved that would have to orchestrate all of this, and then think what percentage of them could you actually trust with good ethical intentions.....
he asked for a public defender since he could not afford an attorney.
A year spent in artificial intelligence is enough to make one believe in God.
How the hell are they gonna find the email
of criminals
i dunno maybe thell go to criminalsearch.com (wouldn't be surpised if that site worked)
And what if they get it all wrong and enter my Computer? I live in Australia FBI only has power in USA
*Cough* They broke into an Australian Citizens Cmputer *Cough* Hacking *Cough* Illigel *Cough*
roughly: beneath heaven, nothing above.