Slashdot Mirror
Enhanced Carnivore To Crack Encryption Via Virus
suqur writes: "MSNBC has a story about a new Carnivore feature, dubbed 'Magic Lantern,' which arrives on a victim's computer in the form of a virus through email or well-known vulnerabilities. Magic Lantern uses keylogging to extract keys typed in, and sends them off to the FBI. This is similar to a story reported on previously, but taken one step further, allowing computers to be compromised remotely."
how do you find this bugger?
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Does this mean it will now be illegal to use a secure system? Having any type of security/virus protection will be circumvention of law-enforcing software.
And what happens if this "happens" to get installed on a foreign government's computer? Can we say "espionage"?
I can't say that I don't give a fuck. I've just run out of fuck to give.
What are the odds that antivirus software could be updated to find this virus? It obviously couldn't be cross-platform either. And if the gov't somehow manages to pressure a/v companies into not including it in virus defs, what would happen if some malicious kiddie got hold of the code, and unleashed a much more destructive version, knowing full well that most machines were not protected? Who would be liable in that case?
Where's my lobbyist? Right here.
So, would running Linux avoid this problem?
Since it's vulnerablities in windows that seem to allow the FBI to get in, would linux be ok?
In addition, is this legal? To break in using vulnerablities? Wouldn't that make the FBI in essence doing illegal things?
This only works then because windows has security holes eh?
Being a bit pedantic here, but do they mean a trojan or a virus? I would be very worried if it were a virus as viruses propogate - in criminals it could spread from one criminal to another, so no problem there. But if it passed to an innocent user, who then passed it onto friends, I'm sure there would be a civil liberties outcry.
I'm sure trojans must have been used for keylogging before. But won't using this mean getting a wiretap order? I also don't know how this system will cross jurisdictions: can the FBI infect a user in another country to get secrets? Sounds like spying to me, and it would ensure countermeasures from other governments and a change in computing systems to defeat the virus.
I'm hoping that some antivirus company makes a scanning system to detect this 'virus' and eliminate it. Otherwise its a change to a more secure OS, or using GNUpg (they did only mention it working on PGP, didn't they?) could do the trick.
You guys coming?
:-)
But if the software is a virus (or trojan, or some other malware), wouldn't that make it a tool of terrorism?
Does that mean we can have a military tribunal for the MIB?
This is sickening.
Please, please, PLEASE, somebody tell me that someone will write a program to watch for this "Magic Lantern" and disable it, or at least warn the user that it's installed.
Hmm...
Oh, and by the by... To anyone who wants to make that "if you're not doing anything wrong..." argument, please send me pictures of your wife naked. Just put my address on the back of a 3x5 print, along with your credit and checking account numbers.
Oh, that's private?
Then f**k off and don't let me hear you say it again until you're willing to put your money where your mouth is.
Quite rightly, I don't think that it's anyone's business to see the data on my computer, unless they have a real warrant and show up at my house with it. On the same token, I think that keyloggers should fall under wiretapping regulations. (Does anyone know if they do or not? Last I heard the FBI was trying to say that it didn't.)
It's going to take a LONG time to fix the damage our government is doing. If we're lucky, some of us will live to see something akin to real freedom again. If we're not, well, we'll just have to make sure that the stories get passed down to our children.
Maybe soneday I'll take the time to cohesively form my thoughts on this, but at any rate, I think y'all get the idea.
Pax, Ardax
I'm also wondering if you could rename/recompile PGP or other encryption software so that Magic Lantern won't trigger when it's activated. Also, entering a key without the keyboard (mouse clicks, off a .TXT file on a floppy, whatever...) would make keyboard logging useless.
Other ideas?
"Prepare for the worst - hope for the best."
Store the encryption software on a non-networked machine (the encryption machine).
Store the encryption keys on removable media that is never left with the encryption machine when encryption/decryption is not actively being done.
Data in encrypted/decrypted form must be brought to the encryption machine via good old sneakernet (diskette).
Extra bonus points if the entire operating system and software suite on the encryption machine lives on read only media, such as a CD-Rom.
FBI Chief: What happen?
FBI Grunt: Someone set up us the disk.
Allthough I do think we should remain open for news like this I also think it becomes a bit boring. I mean hasn't it allready been proven that if you need (tight) security you should not use Windows ?
covertly inserting code to gather information (or otherwise bash their box) onto someone's computer without their consent or knowledge is protected by our Bill of Rights!
They need a warrant (last I checked) to search someone's house. They need a warrant to use wiretaps.
Why is it that they think they can insert a 'virus' to log keystrokes? if this goes into the realm of Van Eck phreaking then I could understand (since van eck just picks up the stray emissions from your box...hmm, tempest anyone?), however, I still stand by the fact that *they need a warrant*
if they want to check out my files on my computer, knock on my door, present a _proper_ warrant, and proceed. That's the lawful way. Dumping a virus on someone's box is just uncool, and in fact, should render anything gathered from said box inadmissable.
of course IANAL...which is said all too frequently around these parts, any real lawyers care to comment?
I guess they aren't if you are the fbi...
Got Freedom?
Thinking?
Some people have said to use two computers, on on the net, and the other not connected. Encrypt and decrypt on the unconnected system, and use floppy or zip disks to move files to and from the connected system.
But really, as long as the system you read email on isn't doing the actual en-/decrypting, they can both be on the net. Read email on one computer. Transfer files from and to the encrypting system over the network. This keylogging program, Magic Lantern, only works if the machine it infects runs the PGP program. It's useless if only the computer next to it runs PGP. Magic Lantern would still be installed on the email machine, but since it never runs PGP, it can't do anything. It can't perform keylogging on the encrypting computer, even if the two are networked. No need to use floppies.
The bad news is sooner or later some idiot is going to lable Open Source a terrorist movement....
Idea: Come up with an app that sits on the SMB port (139, is it?) and acts like a Windows box... I believe the word is "honey pot"? One could port-redirect one's firewall to an old 486 running this thing, so as not to overload the firewall itself, and use QoS to keep the bandwidth down... sort of a LaBrea... well, not sort of, I consider ANYBODY trying to sniff around my computers a criminal, badge or no.
--
Keep your laws off my Internet
No matter what they do they can't get at a non-networked box unless they physicaly break in and hack it and then again to retrieve the data (or transmit via radio waves). As for the networked box it never sees anything but cyphertext, no passphrases are used, and anything it puts on the floppy doesn't matter cause even if it gets on the sandbox it can't get anywhere.
Oh sure they could get tricky, do things with floppy boot sector virii that will run in the sandbox, log and save to the floppy, then re-run once it detects a network connection, but to this non-programmer that seems 1) problematic and 2) pretty easy to avoid. maybe even use CD-R or CD-RW.
Comments?
If you can't be good, be good at it!
What the fuck does that have to do with communism? Communism != authoritarianism.
At first I thought that this was just stupid, because no one running a reasonably secure system, keeping up to date with the latest patches, etc, would be caught by it. But then I thought: why rely on already known (and fixed) and other yet undiscovered holes, when you can roll your own?
recently seen in #anti-trust:
*** BillG is now known as GMoney ***
<GMoney> How can we get out of this DOJ crap?
<FBI> I have this "security patch" I'd like you to distributed through Windows Update. Say it fixes some hole using malformed URLs in IE5 and IE6. No one will blink twice. I'm not even sure most XP users can read.
<GMoney> Will you put in a good word for me with the DOJ?
<FBI> Sure.
<FBI> DOJ: Let Microsoft go scott-free, or I post incriminating pictures of John Ahscroft and Hilary Rosen to usenet.
<DOJ> Rokie dokie, baws.
GMoney laughs maniacally.
FBI laughs maniacally.
DOJ tries to laugh maniacally, but chokes on the pencil eraser he was chewing.
*poof*. Insta-hole. Security patches are worthless if you can't trust the source. And yes, this wouldn't work with non-MS OSes, especially decentralized open source ones. I hope.
-Puk
Since this keylogger is passed as a virus, wouldn't it be defeated by the standard anti-virus software we're already using?
No, company must post a signiture for the virus. If they're allowed to.
Even more insidious, would AV companies install backdoors in their protection software to allow for Magic Lantern?
They may be required to, by secret executive order perhaps. Then again, they are so big they may well encourage the plan. How better to enhance enforcment of DMCA, UTICA, SSSCA, etc. etc.
If this Magic Lantern is really spread as a virus, and costs the US economy thousands of millions, just like CODE RED, who is responsible for paying damages? The FBI?
The victims, the economy, you, I. You cannot sue the Feds without their permission.
Who can garuantee that Magic Lantern will wait until you start PGP? Can't the FBI log every keystroke? How fucking scary is that?
It won't wait, it will watch damn near everything. Technology already exists for sale as a support tool. I've seen it, it's way intrusive. They can watch your screen, keys, all I/O ops, and its a small Kbit datastream. See below...
Scary? You have no idea.
Is it illegal to detect and destroy Magic Lantern?
Would that be considered obstructing justice?
Does it matter? Seems they've taken it on themselves to hold people, uncharged, for as long as they like. Seems they don't even have to say they've got you.
How long until a "clean" program, ala Nimdaclean is developed, and will possesion of that be llegal?
May be, or not. See previous answer.
What will happen when America goes back to normal?
Rights of the people, once lost, are never returned again. Pretty much a fact of history. Revolution is the tradional was of restoring sanity to government, mostly by opening a window of time where it spends more energy regrouping than opressing it's governed.
Who will clean FBI software from our machines?
You.
Note the "small Kb datastream" limitation. They can pack nearly the entire user experience in there. But, there are ways to exceed the bandwidth. Start, for example, by handing your partner in crime a few DVDs full of key material...
That's the kicker. CRIME isn't what the Feds are looking for here. CRIMINALS, at least the ones that need be worried about, maintain a tangible circle of trust. UNDESIREABLES, like you, I, and P0rN buyers everywhere, are the only people this sort of thing is equipped to make an example of.
Surely they couldn't be planning on replicating it like a virus. Striking out a random and invading the computers of people they don't have authorization isn't just ethically suspect, it's a federal crime under current and highly visible law.
C//
How many straws will it take before the people of the United States, the people who take pride in living in the "best nation on Earth", the "land of the free," stand up and say ENOUGH?
Is a sense of security worth allowing Stalinist Russia to be reborn in America?
How many straws, America? How many?
Someday, you're going to die. Get over it.
Problem is, as government-funded tools filter out into public networks it will spark a discussion of these tools in a public forum, which once they are decompiled and attack modes are diagnosed, will give tons of people the ability to launch more sophisiticated attacks. Either it's someone who reengineers it and hands it to script kiddies, or it's other organizations or nations which will feel an imperative to grab the next escalated technology level.
Consider: the article says "levels the playing field with criminals" or something to that effect. It also means the FBI will use tools criminals use. It is easy to see this becoming espionage when used against a foreign firm by the FBI or by someone else who has appropriated their technology.
Few firms have virus-busting firewalls or antivirus packages which can handle new attacks before they cause damage or hide in archived material. Perhaps the scariest thing is that if a new variant is created for a specific "sting", it could quickly take over many computers over a large geographical area (consider Code Red graphs) before antivirus manufacturers or the public at large come up with a patch. In the past there has been a chance at getting a patch before infection.
But with the public funding a combination of email hole, pc based server, network scanner, key logger, and encryption program defeater, it seems that we are *very* quickly going to enter a much more dangerous situation than ever before.
It is not possible that this technology will never be misused by the government.
It is not possible that this technology will remain in the hands of the FBI.
It is not possible that this will not accelerate worldwide efforts to provide more and more dangerous security-breaking software/services.
Because it is so cheap to develop this kind of a weapon, it is my opinion that it is 100% likely that terrorists, multinationals, and national security organizations around the world *will* coopt this technology or will develop something identical to it (or more powerful) on their own. This is the part that scares me. No more Net! Who will ever install a binary from a public server? Who will ever trust interactive content and the plugins which it requires? Who will be trusted to hold the keys?
The FBI is moving a physical wiretap capability highly limited by timing and resources, into a software wiretap regime of high speed, exponential viral growth, widespread destablization of security prior to a court order, and extremely low cost of deployment.
This attempt to coopt the entire networked computing base as a wiretap infrastructure is the most dangerous force I can identify to the world economy and spread of the Internet in all facets of life. It is very hard to have reasonable security for most people at broadband speeds, but one could be forgiven for hoping that problems would be solved in time. Not when the crackers' growth metric takes off exponentially and leaves pro-security forces behind.
I don't think I'd mind if this was used against the people who have attacked the U.S. In fact I'd be surprised if something more powerful wasn't used already. But now we are going to start getting a trickle-down of progressively military weaponry operating silently in our homes.
The cat is out of the bag.. and the technology obviously already exists. The only choice we have is to promote some kind of open source, open science project which could have some hope of markedly improving security in general, could dampen the effects of for example thousands of concurrent Magic Lantern - style attacks from every part of the world. To me, an open, international project is the only way to protect computing in the future.
The FBI already has plenty of tools, and there is no reason it can't improve its cyber attack capability without building such a dangerous system. I certainly don't want to protect the mafia. But unless proven otherwise I think we have to assume that things will get worse all around before they get better.
If you want to see a simulation of the "gray goo" doomsday of nanotechnolgy, simply wait a few months for the next wave of network pathogens.
We will not be safe until we have the U.S. and other governments on the side of the public, with a law against cyber-germ warfare and a well-funded infrastructure to combat cyber-pathogens which do appear with some kind of human and computer based immune system before we enter the age of the network-borne pandemic.
My impression is that people are too technocentric here :). I think it is more relevant, under what circumstances, by what legal procedures, under what supervision tools like these get used. Law enforcement has always tried to use latest technology and carnivore, viruses, electronic bugs and laser-microphones can all be used to intrude into your privacy. What worries me more is the possibility of these things getting used too easily, the data being gathered being stored too long, nobody supervising and controlling the people using this. It seems that lately exactly these legal issues are at stake in the US (and also here in Europe), no matter what technology they use.
Now I understand why the feds were so insistant that the Scarfo bug fell under their search warrant, and no wiretap warrant was needed. If no agent visits the premises then presumably no search warrant is required. And Scarfo establishes that no wiretap warrant is required to keylog a suspects pass phrase. So my bet is, this thing will not "phone home", but save the pass phrase on the victims hard drive. When the feds come, search warrant in hand, to collect the computer, they just happen to find the pass phrase sitting in a hidden file.
Now I'm starting to feel paranoid.