Slashdot Mirror
FBI Confirms Magic Lantern Existence
The_THOMAS (and many others) writes: "A day after major
anti-virus firms waffle on their support for 'Magic Lantern', and nine days
after Thomas C Greene of The Register tried to throw cold
water on it's existence,
the FBI Confirms
the 'Magic Lantern' Project Exist. Welcome to a Brave New World!"
ITS ITS ITS ITS ITS! NOT IT'S! AAAAAAAAGH! http://angryflower.com/bobsqu.gif
To start, I talked with my colleague's brother, "Joe," who is a criminal defense attorney. Joe told me that he has been following the Magic Lantern debate very closely, because his sources indicate that the FBI will be using it in many, many cases to prevent the possibility of seizing equipment with undecryptable data on it. In fact, it has been rumored that the proposed new FBI policy regarding searches of premises requires agents to attempt to use Magic Lantern (which technically counts as a consensual search) prior to even obtaining a warrant, if the warrant is to seize computer hardware.
Joe is not very familiar with computer technology, but he did say that a large part of the Magic Lantern program involves contacting ISPs to allow the FBI to alter network data destined for the suspect's computer. I will take that at face value because they seem to have no problem pulling rank on ISPs. I suspect that their "do it or we'll arrest you" attitude plays a big part in this.
With all of that in mind, I decided to find out just how vulnerable I was. I set up a stock Debian 2.2r3 box, and a stock Red Hat 7.2 box. Both used the installation CDs produced at least a few months ago, so they were both vulnerable to the wu-ftpd exploit and would need to be upgraded for production use.
My goal was simple: I needed to play the part of the FBI, and trick my machines into accepting a trojaned version of the new wu-ftpd package.
First, I set up a transparent proxy on my gateway box, which is used to split my cable modem connection amongst my home machines and those of several neighbors. I used a program called "squirm" to rewrite URLs ending in .deb or .rpm so that they would be redirected to my local web server,
from which the trojanned .deb and .rpm files would be served.
Second, I produced trojaned .deb and .rpm files. The .deb file was
trivial to modify, as only a checksum stood between me and a valid hacked
version. The .rpm was a bit more difficult, because RedHat signs their
packages with a PGP key. However, once I rebuilt the package and did not
sign it with PGP, I had a fixed package.
Third, I went to the Debian box and typed 'apt-get update ; apt-get upgrade'. After a few routine prompts, none of which triggered security alerts, the box was rooted by my "custom" package.
Fourth, I went to the Redhat box and did an 'rpm -U' pointed at the updates.redhat.com server. I got my trojanned RPM back, with no warnings or prompts to tell me it hasn't been signed. And I had an ftp server with a new backdoor up in a matter of minutes.
So, to summarize: the FBI can easily set up a transparent proxy between you and the Internet, and trick your OS into installing malware. You're damned if you do and you're damned if you don't, because you need to download the wuftpd-of-the-week sometime.
As a matter of comparison, my Windows 2000 box has no such vulnerability. The first time I went to Windows Update, I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine. Even if the FBI forces Verisign to issue an impostor certificate, it will be detected and thwarted.
Linux distributions need to band together and find a trusted individual who will be responsible for signing all packages and verifying that they do not contain backdoors. That is the only way to solve this issue. Personally, I nominate Eric Raymond, because of his widespread respect from the community and business leaders alike. Additionally, he is a staunch libertarian and would not cave to government pressure to insert backdoors into something that he has signed. I believe that by charging the distribution vendors a small fee per package, ESR can again achieve financial success for himself and his family.
This is a serious issue for Linux users and I believe it should have been addressed years ago. That said, now is not too late and definitely not too early. I look forward to seeing this feature in all future releases of the major Linux distributions.
df
If you can't replace the word "it's" with "it is" in a sentence, use "its". Really, how hard is it?
Oh, wait, Taco still hasn't learned the difference between "then" and "than". (Hint: "better then" is not proper English.)
I thought that the antivirus companies had AGREED to NOT make their programs detect "Magic Latern"???
There's 10 types of people in this world, those who understand binary and those who don't.
I'm not worried about Magic Lantern. I'm worried about the stuff we haven't heard about yet. Really, if the FBI wants to spy on citizens (or criminals for that matter) there is no way they would let their ideas be known.
Everytime you look at porn a devil gets their horns.
Anyone else for getting a satilitte modem and solar panels and move with me up to the mountains?
I'm can't believe they admitted it, talk about a smoking gun. Public opinion is just now turning towards questioning the "anti-terrorist" actions of our government. We could have figured out they were spying on us, I wonder what force inside made them be honest about it for once.
spacefem.com
How is this different than any other "Hacker" tool?
Seems to just be a government version of a keylogger that should be detected by any virus good virus scanner, unless the virus companies are made to not detected it....
Yes, I know this part is old news. Still, it makes me cringe whenever I see it. I assume there have been discussions of lawsuits/injunctions against ISPs to keep them from divulging this kind of stuff without a customer's consent. Could anyone post links to resources out there on these efforts for me? Thanks in advance.
"Prepare for the worst - hope for the best."
I wonder if this is related to the vulnerability in IE.
Also, why do they have to require back doors, sniffers, and other things to be installed on ISPs and asking anti-virus makers to turn a blind eye to the SECURITY VULNERABILITY that would obviously arise if one could somehow spoof Magic Lantern and in so doing attack or otherwise hijack the computer?
Why not try to gather intelligence by using spies and other methods that do not necessarily require them knowing my password for the QBasic forums that I visit, or my credit card info for purchases I make at Amazon.com?
Also, why deny it? People already don't trust the government as it is, so why pretend it doesn't exist? It doesn't help at all, but at least be honest about looking over our shoulders.
I have 3656.9 Bogomips. How many Bogomips do you have?
This is a very nice new troll. Well done, and I hope it serves you well in your quest for angry replies.
Let me start the ball rolling by saying
"You fucking ignoramous!!!!"
:-) Again, congrats...you obviously put plenty of work into this.
Does anybody know anybody with any information about how to trace it? Now is the time for making Magic-Lantern scanners if the commercial virus protection crew are in on it...
- Malx
The way I see it, since Magic Lantern uses security holes in software to install itself -- might the FBI have secretly persuaded Microsoft, etc. to NOT FIX, or maybe even CREATE security holes??? After all, what good is Magic Lantern if it gets "fixed" in the next Windows Service Pack?
There's 10 types of people in this world, those who understand binary and those who don't.
If the FBI wants to read our keystrokes to capture our passwords then I guess the next course of action is to move to hardware keys. There are a variety of biometric devices available, but the simpler (and more system-independant) solution would probably be to store private keys on one of those USB Flash-RAM dongles.
No word on Debian AFAIK, but I don't really support it so I wouldn't know.
-all dead homiez
All your privacy are belong to us.
LOL... glad to see you are as irritated by that as I am. Thanks for the post.
AGAIN: If you can't replace "it's" with "it is" in the sentence you were using, use "its". "it is existence" would not be correct; therefore, the correct form of the word is "its".
I don't want to be a troll, but I'm really sick of seeing this kind of amateurish grammar on Slashdot, and I know I'm not the only one. Taco seems to have given up. He always uses "its", but that's not correct either! Remember the "it is" rule stated above, and you'll be correct every time.
P.S. "Better then" is not correct either. When comparing, use "than."
Ok so to my understanding M.L. comes in the form of a virus.... Wouldn't that be considered on the same grounds as other virus' that have been released using major holes etc...?
Granted we're all going to hear about how they'll only use it with a warrant... but just the fact that they can use it in the first place, warant or not, should be enough to raise some serious questions. This is more along the lines of 1984 than Brave New World by the way...
What's to stop some random FBI hot-shot from logging keys of random people just to see what he/she can find?
The one good thing now is that since they have admited to it's existance, now it should be slightly harder to implement, and also have a few more sets of eyes watching the watchers.
I nomenate CowboyNeil.
"It's the Law of the Universe, and I'm the sheriff." Slash-cott 2/10-2/17
"The thought police would get him just the same. He had committed--would have committed, even if he had never set pen to paper--the essential crime that contained all others in itself. Thoughtcrime, they called it. Thoughtcrime was not a thing that could be concealed forever. You might dodge successfully for a while, even for years, but sooner or later they were bound to get you." --pg 19
I don't think this software will be much of a problem to the informed ones among us.
The people at risk will be the basic newbie user, the user who was gullible enough to install microsoft software, and Members of Congress.
http://en.wikipedia.org/wiki/2004_U.S._Election_c
Hopefully someone will find a copy of this thing and get it to the 'right' people so we can me a snort signature of it.
The "problem" with relying on security holes is that they tend to be discovered and published by third parties.
If there is an intentional security hole in Windows then it's likely to be found by someone - and then what does MS do?
Mmmmmmm
Does any of this come as news to anyone here? Every time we do anything linked to a public network like the net, we should consider that our actions are not secure. So Magic Lantern story is just highlighting that. Nothing is secure. That's life.
I'm not one for violating our freedoms however something like this may help in scaring would be virus creators, hackers and others problematic computer uses (ie. DDOS attackers). If it will help eliminate problems like that I'm all for it, even if my overall freedoms are curbed a little.
Nathaniel P. Wilkerson
www.haidacarver.com
People fear things like this, yet they really don't have reason to unless they've been doing something worth investigating which is most likely some illegal activity. The FBI doesn't care to read your email or get access to your pr0n, their goal is to deal with threats to security and other illegal activity. The average citizen or even seasoned geek doesn't have much to worry about.
The article says that they haven't actually started the program yet, so it isn't too late for distributions to begin implimenting fixes and detectors of this is it?
For all the FBI, CIA and the so-called "intelligence community" that have the blood of thousands of Americans on their hands. From this article.
But one of the things that would be interesting to know, is how on earth did this guitar strumming, white boy suburbanite, Cat Stevens-wannabe manage to infiltrate the Taliban, a task that is supposedly so formidable that not even the best of the Central Intelligence Agency has been able to achieve it over the past six years?
Well how long are you guys going to wait to call your babies? (Together) Six days.
Viruses spread because each time a user is infected they spread the infection to an average of more than one user. Most viruses die very quickly. Of the thousands launched each day only a handfull infect more than a few hundred sites. The probability of infecting a particular machine is actually quite low. It is going to take rather more effort to spread the trojan payload than the FBI expect.
Simply sending out random spam and hoping the target opens an executable that installs the trojan is not likely to work. A more likely means of succeeding is to attach the trojan to a downloaded executable.
A much easier solution with lower downside risk is simply to install a good old fashioned room mike or to use CRT radiation to snoop on the screen.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Comment removed based on user account deletion
you'd be calling it 'cyberwar'...
Buckets,
pompomtom
"There's an exception to every rule. Except for some rules"
You know, this Magic Lantern thing will sure make life boring. Whatever happened to the good ole days when the feds actually had to sneak in your house and plant a bug inside your coffeemaker (like in all those cool 80s action movies)? Man the feds are sure getting lazy.
Learn how to spell before you talk more shit.
Grab the source, check your code. Don't trust downloadable binaries any farther than you can throw your computer.
The super-paranoid will be safe from Magic Lantern because they probably don't upgrade software often and they probably patch security holes themselves. But for the rest of us who want to *use* our computers, this is an enormous problem.
df
So now the FBI will be able to catch terrorists even better!
What this country needs is more power and oversight by police agencies - East Germany had it right when "smell samples" were collected in jars so dogs could hunt down disenters.
Of course, this will mean nothing to civil rights because as we all know that the FBI is a trust worthy organization that would never do things that would jeopardize our civil rights by installing key loggers via internet virus (because that would not exactly be targeted eh?.
The FBI is also trust worthy, they would never, for example, abuse the justice system by, say using RICO (anti-organized crime) laws to punish pesky protesting environmentalists, or arbitrarily ask nearly all muslim students in the USA to come in for interviews (and chase them down if they don't come by) - or even threaten to reveal that a person charged with a crime is gay (and cause his suicide)
And they would never do anything like compile a list of "persons of interest" and maintain a dossier on each person in the USA that has been charged (not convicted) of a crime), as well as all immigrants in the USA (they did a mighty fine fucking job lately eh?)
Don't worry, the FBI will protect you in the future because of their new powers!
BTW, would it be in a anti-virus company's best interest to reveal that their software has programmed defects? I dunno. . .
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Look, guys. It's simple.
Get a warrant. I'll show you anything you want to see, but show me your goddamn warrant first. Until you have it, you have no right whatsoever to search my, or anyone else's computer. I don't care what your reason is. This is not acceptable.
The fact is, Brits don't know shit about grammar. You fucking Brit's don't even know that a "full stop" is called a "period". Morons!
Exactly. Thats what i always wonder about whenever they show stuff on TV which seems to us like inside stuff and a show-all policy.
I feel like i am sitting on on top of the largest iceberg.
nice to know, and thanks, but really - what else?
... and this is how they get away with it. Chew our rights away a nibble at a time. 1st amendment, 2nd amendment, 14th amendment, little by little going bye bye. It isn't about "fighting the feds and their software", it's about them even thinking they have the right to use and create this type of tool.
I guess it's time for my windows boxes to be pure game machines. no email, no IE (dl drivers from netscape on linux and ftp them over). who knows what the next step is with this type of software development.
The court was tired of recounts, and demonstrated how to take care of it.
are you more afraid of hackers or the FBI? At least I have respect for hackers. Keep those packages up to date... It's us vs. them, "them" being both the bad guys and the "good" guys now. Pretty sad that basic rights to privacy can be stolen so blatently.
I think it's a relatively simple matter to be sure your keystrokes weren't being detected by the FBI.
Step 1: Buy a laptop.
Step 2: Buy a floppy disk
Step 3: Do all your encryping on laptop
Step 4: Ensure you never connect laptop to internet
Step 5: Use the floppy to transfer disk to encrypted data to internet computer.
Step 6: Send encrypted data
No doubt that saavier criminals are already taking such precautions.
---Technology will liberate us if it doesn't enslave us first.
But, there's one solution to the problem.
Another would be hella encryption on downloads with some new kind of checksumming procedure.
I dunno... Just throwing ideas out here, people.
I think if FBI had to deal with microsoft to request them NOT FIX or CREATE security holes, then why not just tell them to include it in the next service pack? It isn't something really new, as there have been rumours of Microsoft installing backdoors on users' machines anyway.
Don't quote me on this.
Why were they honest about it now? Simple: this is the best political climate the FBI could have asked for to reveal something like this.
:grin:
Surveys show that most people, given the 9-11 attacks, are more than willing to trade freedom for security.
"A recent ABC/Post survey found two out of three people expressing willingness to surrender 'some of the liberties we have in this country to crack down on terrorism.' Cole attributes this not only to a heightened concern for safety, but to the fact that the majority are not generally affected--that is, it's not their relatives being detained and questioned." (Taking Liberties: Fear and the Constitution)
"At times like this, a democracy must balance its need to protect itself with the freedoms that define it. Last week's terrorist attacks have raised the debate pitting homeland defense against civil liberties to a level not seen since World War II." (For now, security trumps liberties)
"From the very first surveys after the World Trade Center and Pentagon attacks, most Americans told pollsters that the country would have to give up some rights to fight terrorism (79 percent in a CBS/New York Times poll in September). A Gallup survey conducted Nov. 26-27 found six in 10 Americans who said the Bush administration has been 'about right' in its limits on civil liberties, as opposed to 10 percent who said the administration had gone too far and 26 percent who think it hasn't gone far enough." (Public Supports Domestic Crackdown on Terror)
After all, if you're innocent, what do you have to worry about anyway?
Why do you need defense against "Magic Lantern" if you're not doing anything illegal?
I don't know if this is a Troll or not, but I'll bite.
This is NOT a valid argument. First off, think about what you said for a minute. It may come as a huge shock to you, but people who are not guilty are and have been arrested. And that won't be changing any time soon. Plain & simple, there is nothing written anywhere that says this will ONLY be used on criminals. All it would take is one person having a suspicion about you, and presto, they are trying to keylog your system. If you want to just let the FBI into your computer and allow them to monitor you, go right ahead, but I most certainly do not.
I could go on, but I won't. All I'm going to say is that this is a stepping stone, and if we don't try to resist it now, we may not have the option to do so in the future.
Didn't M$ get caught with a special backdoor in NT where it included an 'NSAKey' in the registry? I don't recall its denials being particularly persuasive, but M$ is still with us...
I hope they don't repeal the 18th amendment!!!
... ever think of that?)
(My point being - perhaps it is time the law changed
You have a right to defend yourself against ILLEGAL searches, be it in your home, your car, or your computer system.
The problem is that we have a government that is becoming increasingly oppresive. All three branches of our government are basically for sale to the highest bidder. We have lawmakers and people in positions of power who don't really care about the Constitution.
The government has locked people away for nothing more than expressing opinions in the past. I don't want the FBI knocking down my door because they read an email I wrote saying that I disagree with John Ashcroft's latest violations of the Constitution.
"You spoony bard!" -Tellah
I just took my own nipples off with a belt sander. Ouch...
I like to rape them. With my huge wad.
"If MS intentionally and with clear thought..."
Footnote: in one of the proposed remedies against MS for its abuse of monopoly power, there was talk of opening the source for a bunch of their stuff... except for things that the government would choose to explicitly not allow open-sourcing.
One can readily see that as meaning the government gets to keep its backdoors and keyloggers and suchlike from prying eyes.
--
Don't like it? Respond with words, not karma.
First of all, anyone who defends "Magic Lantern" by claiming they have nothing to hide is kidding themselves. We all have something to hide. Our pirated software, our porn stash, our unpaid speeding tickets. Most people nowadays let their lives flow through their keyboard, so why not just install cameras in everyone's house? Because you wouldn't get nearly the same level of information.
Keylog yourself for a week and look at the results afterwards. If you take five people, four of them will have something to hide, and fifth one will next week.
This is a blatent violation of privacy and completely disgusts me. Next time you want to raid my life, get a fucking warrant.
I wish more people would actually read Huxley's "Brave New World" before applying that phrase everytime government gets a little out of control.
Seriously, "Magic Lantern" and all the other privacy-invasive technologies used to snoop on private citizens are still a far cry away from the world of "Brave New World." After all, we still possess enough of our wits to question whether these steps are necessary, legal, and ethical. The folks in "Brave New World" didn't even go that far.
We are much closer to Orwell's "1984" then we are to "Brave New World." And I'm not sure which is the more frightening.
In 1984, the government had to force people to behave using the classic methods of tyranny. In Brave New World, the citizens were kept so damn happy that they would never question that the government didn't have their best interest in mind, regardless of what it did.
Remember: in 1984, our protagonist was someone from withen the society who began to realize what a living hell he was in and began to try to do something to better his condition. In brave new world, our protagonist was someone how came from outside of the society, having been raised on a "reservation". It was only because of this distance from the reality of the "Brave New World" society that he was able to see how awful it truly was.
Publicly available debug symbols for Windows revealed that there is a constant in the code called NSAKey.
There's plenty of speculation about this.
Mmmmmmm
What part of "M O N O P O L Y" don't you understand?
You may just as well say that the past tendency of telecoms -be they the regional monopolies or AT&T, the mothership of them all- to give the FBI and others transparent access to your phone records and voice communications has made US. customers unwilling to do business with Verizon, PacBell, et al.
If they've heard of NSAkey or half of the holes MS software is festooned with, screensavers that BO your NT servers, desktops that can be made to execute arbitrary code through freaking CLIP ART files, and they STILL use Macrosieve products in sensitive areas then they must feel they have no choice in the matter for some reason, eh?
This is pretty interesting. Here we have the extreme open-source zealots who proclaim 'information must be free', yet hold tight to their personal information. Fair enough, most of us might think, but surely you can see the slight contradiction.
Imagine we could all read each other's minds. Then all encryption would be useless. In such a world, you would have to accept that information is truly free, and can't be hidden. We would all be used to that, and would not complain. IMH impression Magic Lantern is a vague attempt at such a society, but it is not a fair system because not all communication, and not everyone's, is monitored equally.
Escher was the first MC and Giger invented the HR department.
"We have a new software that does not exist yet but will give us the ability to infect a computer remotely"
With a remotely installed spy app they could remotely uninstall it. AKA no search warrant needed to get it on there in the first place because they can remove it any time they want causing a gapping hole in the 4th amendment (remember the Bill of Rights?). The other thing is how do they get this installed on a Linux system? The same binaries that work on win32 systems will not work natively on nix systems. Does this mean it could be the first Trojan to work across multiple OS's?
Ascii artist &
Why do you need defense against "Magic Lantern" if you're not doing anything illegal? That's like telling a cop that you refuse to give him access to your home to search it without a warrent.
Yeah, it's pretty much exactly the same. That's why I would do both those things. Cops will often try to bluster their way into your home because they don't have enough evidence to get a warrant, and they know it, but they hope you don't. In that case, telling them to shove off means quite a bit less hassle for you.
That's aside from all that Constitutional-rights stuff.
"It's FBI in your home, but then again, its better than terrorists in your mall."
Those who don't learn from history are bound to repeat it. Read up on the Reichstag. An evil man with a fondness for jackboots and genocide convinced people like you to think the way you're thinking. Inevitably, it all ends in tears.
--
Don't like it? Respond with words, not karma.
Distributions should reject packages that aren't signed with a trusted key by default. And make the user specify the --really-install-an-untrusted-package flag in order for the package manager to accept it.
df
I have no problem whatsoever of the FBI's using something like this, as long as it fits within the realms of how they already do investigations.
my fear is what if the FBI comes up empty after trying magic lantern against a target?
iow - install it, then fail to find or obtain what they're looking for. Will the warrants require removal of the lantern after a certain amount of time?
And what about repeated failures? Get into the computer, not find anything, back off, get another warrent, try again, still nothing. Would there be limits on how many attempts there are? Or a limit to the the number of searches within a given timeframe?
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
>I'm not one for violating our freedoms however
The word "however" doesn't belong in a sentence like that.
>something like this may help in scaring would be virus creators, hackers
>and others problematic computer uses
Since when is scaring people a valid function of our government? I thought striking up fear was a tactic of the "evil doers," not the good guys. Maybe you meant deter instead of scare. Like the death penalty prevents murder from happening. Like tickets keep people from speeding. Like the threat of a suspended license scares drunks out of driving. Yeah, deterrence really seems to work well...
>If it will help eliminate problems like that I'm all for it, even if
>my overall freedoms are curbed a little.
Statements like this make me afraid. Very afraid.
Randomly executing 1 in 100 Americans would help eliminate problems like the ones you mention; if you kill enough people, you're bound to hit a script kiddie eventually. Would you mind the risk of being the poor bastard out of 100?
Civil Disobedience has been the only real power The People hold. If the ability to do this is prevented it will be a great tragedy for America, and the begining of the end of the current Government. This is the _real_ need for Privacy, so you can do things which may not be wrong, but are illegal under current legislation. Illegal has no moral or ethical stance, it is an artificial creation.
What does this currently threaten? It is only through this avenue that I believe IP/Patent laws can or ever will be reformed. I certainly hope they do, so I don't have to explain to my grandchildren why knowledge and human creation built for thousands of years, their Birthright, the first creation of man that had no scarcity, enough for anyone willing to see, was caged and locked away only to be available to the richest, or at worst lost forever.
This is a direct attack to the defenses the people have against their rulers.
"I don't know that atheists should be considered citizens, nor should they be considered patriots." George HW Bush
Why would some guy at the FBI want to DO this?
/., or b) watching porn videos.
How many geeks would it take them to monitor before they catalog a pattern: Either a) posting to
It just seems like a ridiculous counterpoint to say that "The FBI could watch you, any time they wanted!". Why would they WANT to watch you? Unless you were doing thing blantantly illegal, there isn't going to be some Massive FBI server that sorts through all the keystrokes of every windows98 user to find illegal, "hax0r" activity.
Yeesh.
most AV tools monitor program execution for anomolis behavior by unknown virii. would magic lantern be able to avoid being detected by that?
also, what about personal firewall programs? I use Tiny Software's PF (yes, under Windows, sad isnt it) that checks the md5 of an executable before granting internet access. on top of that, it can allow you to block certain apps from making/accepting connections from various sites. for example I have it set to not allow Mozilla access to doubleclick and some other ad servers.
Here, two things exist: the lantern has to find a way around the md5 and also find a way around asking the user "PGP wants to connect to [fbi-ip-address], allow it? (y/n)" Getting through one or the other might prove difficult.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
And in 1968, the Hugues Glomar Explorer was looking for nodules on the pacific floor ...
Seriously though, how plausible do you think the following scenario is :
McAfee receptionist : Hello gentlemen, how can I direct you ?
Men in black : [showing their IDs] We work for the department of Homeland security. We need to speak to the CEO at once. You also are not to mention our visit to anyone by measure of national security.
MR : [picking up the phone] Mr. Sampath, important visitors for you.
Srivats Sampath : What can I do for you folks ?
MIB : Your company is under strict orders from the FBI and the department of Homeland security to provide appropriate backdoors in the software it produces. These backdoors are confidential-defense and must be revealed to the following persons only : [list of persons]. Any of you or your employees who have knowledge of these backdoors who reveals the existence of the backdoors will be detained and judged by a military court. Any question ?
SS : [going into brown alert] Yes yes Mister, anything you say. Have a good day Sir.
SS : [later, talking to the PR guy] John, write the following press annoucement and send it immediately to PRNewsWire : McAfee will NOT NEVER EVER UNDER ANY CIRCUMSTANCES NOT ON YOUR LIFE install any backdoor ever in our software. Never ever. Promise.
You think I'm paranoid ? Heck yes I am. The above is a bad fiction, and if nothing else, it certainly shows that I have no knowledge of who does what in the government, but my point is : none of these anti-viruses are open-source, how the hell are we supposed to know they're saying the truth ? especially nowaday, can you really trust anybody even remotely involved in computer security to tell you the truth ? Well, I'm taking the easy way out of that dilemma and I'm sticking to "alternative operating systems" that don't require proprietary anti-virus softwares in the first place, and that are known not to contain backdoors as long as the user administers the box properly.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
What's wrong with adding apostrophe's to all the word's that end in s's?
You Linux guy's suck.
MOD me up, too, for I know how comma's work.
Leucian "Not a troll" J.
spankmehoff@hotmail.com
Magic Lantern is not spread by software or over the internet. They get a warrant to do one of their black bag jobs, and they just go in and put it on your machine. It steals your passwords so that the wiretaps can decrypt your messages. The alternative for the FBI would be to do a black bag job and go in and place a camera that would watch your keystrokes and steal your passwords that way. Thus, Magic Lantern is much less intrusive, since it does not see everything that a camera would see. And the National Guard hasn't militarized the US-Canadian border; they are merely 'expediting' border crossings.
Why this isn't a Good Thing (TM):
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
--Benjamin Franklin
"A society that will trade a little liberty for a little order will lose both, and deserve neither."
--Thomas Jefferson
Like Alex Jones says, freedom isn't free. You can lay down and be made a slave for free, but freedom has a price. That price is eternal vigilance. Don't ever surrender the Bill of Rights, your crypto, your privacy, or your firearms!
Is it green? Can I fight evil with it?
In brightest day, in blackest night, no evil shall escape my sight,
let those that worship evil's might, beware my power --Green Lantern's light.
How about programming a "hardware abstraction layer" that would interact between the input and the system and the output.
The layer would only allow input to be passed to a specified program, and output would be passed only from that program - encryption would also be used between the input / system / output.
Sort of like an encrypted remote login, except that it would take place within / on the same machine, sorta a basterdized winnt.
It would be a shitload of programming methinks (i.e. a new shell, re-written (or heavily modified) programs) I dunno, I could be full of shit. However, if you would only be using the prog for the encryption of files / sensitive data . . . possibly send output to another device instead of thru the vid card..
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Magic Lanterns are neat. They power up these kickass green rings which can kill terrorists with gigantic green hand tools. I feel a lot safer knowing our government has them.
The FBI has found the Magic Lantern. High level meetings are taking place, in which it will be decided who gets to rub the lamp and who exactly will get the three wishes.
This virus'll probably die out FAST. Programmers will probably download the virus, never run it, decompile it, steal the signature, and make an even more dangerous virus then it was previously. Like, say, instead of a keylogger make it wipe out CMOS like Chernobyl does. I honestly think that the FBI is making a big mistake by doing this, because they'll be flooded with useless data. Besides, are hackers REALLY stupid enough to check their email, and download programs that they don't even know who it's from? They're gonna get the stupid people, not the hackers..
(Flippant answer: "Look, it's the Fourth Amendment we're getting rid of, not the First! Get yer Amendments straight, duuuh!" ;-)
But I think that deserves a serious answer, and since it's the Constitution you're so worried about, I'll have at it.
Ashcroft's actions are highly constitutional. He's fulfilling his obligations as part of the Executive Branch as specified in the Constitution, namely to use the powers granted to him by Congress to fulfil his mandate. Once something gets passed by the Legislative branch, it's law, and the Executive is obliged to work within the (ever-shifting confines of the) law until the Judicial branch (after due prodding) says it did otherwise.
So if you have a beef with the changes going on lately, it's with your Congresscritters for passing bad law.
But please, if you're gonna go Constitutional on us, don't trash the Executive for doing what the Constitution says it has to do -- namely doing the things your representatives in the Legislature told it to!
There's a homily about how, when everyone is a lawbreaker, government has total control over everyone -- there will always be a pretext for detaining any person.
As another poster mentioned, it is quite likely that none of us would like to have all of our keystrokes made public -- some of our innermost thoughts go right through our keyboards, and Magic Lantern wouls apparently make no distinction between keystrokes that you intend to publish on the web, and those intended to stay private (financial info, personal letters, diaries, medical correspondence). If you think this sort of tapping would only occur under warrant, you aren't following the latest news.
Since 9/11, we already see our government detaining people for more extended periods of time even when the detaineee has not been accused of a crime, refusing to share the evidence against those detained, and the Dept of Justice is even, per AG Ashcroft, allowed to monitor conversations between people in custody and their lawyers. That last one applies to everyone, and is not limited to suspected illegal immigrants.
This is the top of a very slippery slope. If we give away rights to privacy in our homes and with our legal counsel, we will never get these rights back.
"A man who gives up some of his liberty for a little temporary safety deserves neither liberty nor safety." - Benjamin Franklin
"Whether or not legislation is truly moral is often a question of who has the power to define morality." -- Jerome Skolnick
Three reasons:
The problem here is that appeals to common sense (which I feel all of these are, feel free to attack that if you think you can support it) won't work with a corrupt, bureaucratic system like the US government. (That last bit is an opinion, not a statement of truth, so let's not get in an argument over it, shall we?)
Do you have a
Warning - Slightly off-topic
Since so many people are against things that impose upon the Bill of Rights, I was wondering how many people donate money to the ACLU? The groups main purpose is to defend our freedoms. So it would seem that one way to help fight the problem is to donate!
It seems to me that keeping Magic Lantern from working should be fairly easy for any terrorist who knows that much about it. He could have the computer that he writes and encrypts whatever it is he wants to send out disconnected from any network. Once the (let's say) email is written and encrypted he puts it on a disk goes over to another computer hooked up to the web and sends it off. Terrorist number two recieves it on one computer, puts it on a disk, loads it onto a disconnected computer, and decyphers the message using his key for the encryption scheme they used. This way, no computer that has the encryption on it (and thus the keystrokes) is hooked up to the internet and so can't get magic lantern. And if it somehow was infected, magic lantern would have no way of sending the info back to the FBI. Am I wrong? Shouldn't this work?
"A witty saying proves nothing." - Voltaire
No, I can't see that at all. 'Information wants to be free' has nothing at all to do with big brother intrusions. There is no contradiction between saying the information that constitutes a program should be free while personal, private information should not. Here's my equally silly argument: if you think that people should be able to peacefully assemble in public places, you're a hypocrite if you think that people shouldn't be able to peacefully assemble in your bedroom any time they want.
Some of the absurd conclusions that /.ers routinely come to lead me to question whether we're all as naive as we always seem to accuse joe sixpack of being... but wtf do i know?
"That's like telling a cop that you refuse to give him access to your home to search it without a warrent. All you're doing is causing a bigger hassle for yourself."
You are under the misguided beleifs that:
1. Only guilty people exercise their right to privacy
2. Only guilty poeple have items seized as evidence upon a voluntary search.
Lets say for example, the FBI knocks on your door saying they suspect someone has been sending death threats to the president from your computer. They are mistaken. They want in to "look around" and walk out with your computer. Good luck getting it back, cause it will be in a "evidence" vault till you die, regardless of innocence or charges being sought. They could do that with ANY item in your house that MIGHT be tied to the crime and odds are you won't get it back, ever.
Reminds me of a county n Texas, all traffic violators were searched and anything that the searchers thought was "drug related" was seized. Well, a buisness man was speeding though said county, pulled over and lost 10-15K (I don't remember the exact figure) in cash he was taking to his son as a loan, all of which he could prove was legally earned. He ended up sueing, and getting little more than half of it back.
So, my legal advice to you (IANAL-Lawyer) is to NEVER ever for any reason let any cop search any of your property, unless they have a court approved warrent.
Burn Hollywood Burn
Yeah right. The classic easy answer of someone that get nothing better to argue. In a matter of fact I'm not english native. I suppose it make me less intelligent ?
One word: J. Edgar Hoover.
If it was that inportent for the me to keep the FBI (or anyone else) out of my data... the machine with PGP woulden't be the one on the network...sneaker net a cd of the encrypted data. To a box (or singel disk distro) decrypt there.. write a reply there.. sneaker net it back to the box on the net.. you get the picture.
Wasn't there a project going to create a bootable Linux-on-CD OS? Actually run from the CD and a ramdisk created on boot? Having trouble tracking it down, though.
>In a matter of fact I'm not english native. I suppose it make me less intelligent?
No, but when you know you may have problems with a language it would show intelligence if you would spell check your submissions.
Once again the old adage proves true. If we fund fundamentalist, paramilitary, or resistance groups in far-off countries, they're "freedom fighters." If someone else funds them, they're "terrorists."
If someone puts a trojan or virus on your machine to spy on you, it's "cyberterrorism."
If the government puts a trojan or virus on your machine to spy on you, it's "domestic security."
Why do you need defense against "Magic Lantern" if you're not doing anything illegal? That's like telling a cop that you refuse to give him access to your home to search it without a warrent.
You're damn right I'd refuse access. If all he's going to give me is his word that the search is for a lawful purpose, all he's going to get is my word that I'm not doing anything wrong.
Honestly, think of what your statement implies: that nobody deserves privacy because law-abiding citizens have nothing to hide. The next step is "Why do you need encryption if you're not talking about anything illegal?" And then perhaps "Why do you need blinds in your windows if you're not doing anything illegal?" We may as well put everyone under video surveillance -- after all, if they aren't doing anything illegal, they have nothing to hide. Right?
Come on. You'd allow the government to break into your computer (or the computers at your place of work, your school, your bank...) just to make sure you're being good? Grow some balls.
My only concern is that this whole thing is going to end up in the wrong place once the scares are over
It won't end up in the wrong place when the scares are over -- it'll end up in the wrong place immediately.
Visual IRC: Fast. Powerful. Free.
"Always trust code signed by Microsoft" trusts the certificate, not the name on the certificate. Users are actually safer if they check this box, because if they always trust the authentic MS certificate, their system will only prompt them for confirmation when a bogus "MS" certificate is offered, not when they see code signed by the cert they accepted. So if they ever see the prompt again, they will know somebody is up to no good.
Ever heard of a 'false dilemma'?
Does ESR have the time to do this?? it seems like a daunting task.
How 'bout adding a layer of security to apt, so that it authorizes the server it is connecting to, with SSH or something? and/or adding a "secure" preference that won't install packages through apt/rpm that aren't signed... at least this way the user can automatically deny unsigned packages if he chooses.
Send all your mail (and I mean all: cheques, kiss-ass late notice replies, love letters, porn orders, everything) in clear ziploc sandwich baggies for a while (at least 3 or 4 months).
If, after all that, you come back and say "It made no difference. I had nothing to hide" then I'll believe you. No cheating by self-censorship allowed.
'Till then I bet you're just like everyone else -- you have at least one skeleton in the closet.
Remember, the FBI are people too. What interests the mailman that's in those baggies interests an FBI agent just as much. The only difference is that the mailman is under special orders not to read your mail.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
First off, this shows how much we need to have some kind of open registry of certificates. I mean, does anyone really trust Verisign, especially now that they own NSI? I mean, talk about people willing to give up credibility in order to pursue monopoly.
Also, is there not a way in which we can set up some kind of distance authenticity verification? Or routing verification?
What if there was a service set up that allowed us to send out a request through an alternate random routing (for which we got back and traceroute list to verify) and set a codekey on the machine, and then when we connected to the machine, it would only connect if it had the codekey. Even if they spoofed the network connections and routing, then we wouldn't be able to connect, since we'd know that there was no codekey there. Granted, doesn't solve the problem, but it quickly says to me, time to get a new ISP who doesn't let the Feds run the whole deal.
The power of accurate observation is commonly called cynicism by those who have not got it. - G.B. Shaw
might the FBI have secretly persuaded Microsoft, etc. to NOT FIX, or maybe even CREATE security holes???
Nah, it's easier to say something like "We'll deal with those icky monopoly charges if you just add this to your code..."
After all, who knows what's in there...
Feel the fear and do it anyway.
Do not fear what they tell you they are doing. Fear what you are not being told.
Does anyone really think that Magic lantern, or carnivore, or any other media whore flavor of the week is a truely serious concern? Yes, there are possibilities for backdoors to fall "into the wrong hands" But just what do *you* stand to lose? A piece of your freedom? yeah, that is a legitimate concern, however, was that a freedom you really had?
Anyone who has had to deal with law enforcement with a computer-related incident loves nothing more than to howl about how woefully out of touch those in authority are. Then, when said groups make attempts at learning, the same folks go on half cocked screaming orwellian brave new world like lemmings.
the one argument that keeps coming up is "if you have nothing to hide why are you concerned?" Well, if you have nothing to hide, odds are you'll never have to deal with software like this in the first place. they still need a warrent, they still need a reason to target you. There's a reason search warrents aren't mentioned in 1984.....
Is there a signifcant risk to freedom at stake with recent legislation? There could be. Is there a dedicated group of individuals that want to run around screaming "brown-shirted nazi jackboot black helicopter Orwellian thought crime brave new thugs!" at the first mention of the FBI? Yeah. Any government agency concerned with the safety of the populace is going to end up on the wrong end of popular opinion anyway.......
There are some people that if they don't know, you can't tell 'em.
Maybe I enjoy surfing porno websites. Maybe I work for a Fortune 100 company and have trade secrets on my computer. Maybe I'm secretly gay and that fact could be gleaned from my online habits. Or, hell, maybe I run the world's biggest cocaine trafficking ring over the internet. (Obligatory disclaimer, all of these situations are bogus.) It doesn't matter what I'm doing; without a warrant, the government has no more of a right to come in my house or my computer than a bum off the street.
The problem I see with Magic Lantern, vis a vis conventional searches, is that the potential for abuse is far too great. When the FBI raids a house, it's rather obvious. Maybe the person is at home, or the neighbors see it going down, etc. Makes it pretty difficult for them to just bust in any old house they want, without a warrant; and makes it pretty embarassing if they happen to screw up and raid the wrong house. This is (at least in my mind) a fairly good check and balance to ensure that the FBI isn't raiding houses on a whim.
What happens, though, if they bungle and put Magic Lantern on the wrong person's computer? It's a valid threat; if fucking bomb coordinates can be transposed, so can a suspect's IP address. What if Magic Lantern winds up on your computer or mine, even though we aren't doing anything illegal? There are no neighbors to see it happening, there is no embarassing story on CNN about the snafu, but before I know it, those corporate trade secrets on my computer are now in the government's hands. (IIRC, it was objection to exactly this type of risk that got France in a mess when they banned encryption.)If there are terrorists at the mall, I at least have the choice to stay home and avoid them.
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
/me unplugs cable modem and cowers in the corner in fear.
Linux: The world's best text-adventure game.
The one thing I take heavy issue with is the anti-virus companies decision to have the product that I paid to make sure unauthorized programs not run on my computer are letting this one in. To be honest, do I really need antivirus programs with all that I know now?
/. should do the same.
I have a bbiagent.net router that I routinely check on. Several times my friends have brought over M$ machines infected with viruses, I would see them trying to connect to the router on goofy ports, then look up what viruses use that port and take the right action.
What would be really nice is if the EFF or some similar organazation makes a blacklist of products infected with this crap. I don't think it would be too hard to detect, lots of smart people out of work with time on their hands now. More of us than the FBI, yeah coppers good luck!
I would not buy a product nor subscibe to a service that allows access unauthorized by me. The rest of
They took the first step, getting the virus catching companies to agree not to detect it.
The next requirement is to get Microsoft to agree NEVER to fix their security holes. Additionally they must agree never to release the source so someone else can develop a patch to fix the problem. Twist their arm even harder to get them to agree.
Then they have to get the snoopees never to use linux. While linux as the OS of choice of terrorists would academically increase usage, their testimonials would be unlikely and undesired. "Without linux we could never have blown up _____."
When MS includes Digital Rights Management in their operating system the RIAA will certainly try to sue linux out of existance and the Gov will support their lawsuits. "Protect the country from terrorism (and our copyrights) by banning linux."
While encryption is great, if the bad/good guys can recover my private key because it's sitting on my filesystem what good is it? What alternatives/solutions are out there for private key storage or are we all going to have to purchase biometric devices?
Just store your important information on a computer that is not connected to the internet. Unless Magic Lantern actually posses some magical abilities, it wont be able to keylog jack shit on the unconnected computer.
One solution is as follows... make a clear, concise statement that companies will refuse to run virus scanning software at all as long as the FBI's "virus" is allowed to roam free and unchecked.
Then, watch as Melissa hits again and devistates the economy. Seem radical? Yes. But frankly, there comes a time when drastic steps need to be taken. Just think about how long it would take, in such a scenario, for the FBI to force the antivirus makers to update their software to clean things out... Short-sighted lawmakers may take away a citizen's freedom, but we still have the power to control what does and what doesn't happen in our government (well, with regard to the FBI).
Maybe an open source anti-virus tool for Windows is a better idea... as long as the FBI's targets are protected the software will be useless.
Being board I've tried to click on all the news links provided in your story.
Unfortunatly I can't find anything - in every browser [IE, Mozilla and Netscape] I get a "host not found" error...
... weird.
But at least now when I say that they [Big Brother] are watching us I have proof and people won't say I'm crazy.
Get your Unix fortune now!
Magic Lantern is nothing new.
It's the networked computer-version of a phone wiretap.
In both cases, permission to use either information-collecting method has to be authorized first by a court-order. From the article [news.excite.com]:
When asked if Magic Lantern would require a court order for the FBI to use it, as existing keystroke logger technology does, Bresson said: "Like all technology projects or tools deployed by the FBI it would be used pursuant to the appropriate legal process."
...which is legalspeak for "Yeah, as long as wiretaps require court orders, so does Magic Lantern."
I can't believe the number of posts comparing the introduction of Magic Lantern to a civil liberties meltdown getting +1 Insightfuls. They're about as insightful as the patriotic idiots who'd allow government agencies unchecked freedom to invade private citizens' lives in the name of antiterrorism.
The citizens of the US have a responsibility to watch over the actions of its government, to serve as a check against the growth of abuse of power. Melodramatic statements like "Welcome to a Brave New World!" and knee-jerk antigovernment statements like "Trust the FBI to abuse this the minute they get it" merely serve to marginalize and decrease the credibility of those that speak out against government agencies becoming too unfettered.
Am I afraid that Magic Lantern may someday be abused? Well, yeah, but I'm a lot more frightened by the potential abuse of "old-fashioned" things like the aforementioned wiretaps and unwarranted searches and seizures than I am of the FBI emailing me an easily detectable and easily deletable script or executable virus. Magic Lantern doesn't strike me as a shadowy menace so much as the amateurish nature of a government agency still in the first steps of dealing with a wired world.
The key to preventing abuse by the FBI and other agencies is not by depriving it of tools to work with, such as wiretaps or Magic Lantern, but to ensure that adequate oversight exists and continues to do so in the future. Spending time and energy protecting and advocating the transparency and accountability of the FBI is infinitely more effective, and more likely to work, than seeking to deprive the FBI of intelligence-gathering tools to work with.
Light a fire for a man and he'll be warm for a day. Light a man on fire and he'll be warm for the rest of his life.
While that post was sarcastic, it brings up another question: do you trust your compiler? A person could download perfectly good code that is free of trojans, but the compiler could be slipping in backdoors into the binary...
All editorial writers ever do is come down from the hill after the battle is over and shoot the wounded.
Idiots! Its *NOT* the FBI! Its Executive branch and the Legislative branches of government as well.
In 1999 and 2000 The US goverment created some brand new covert departments to explicitely write keyboard loggers and forensic tools. These departments are also charged with writing computer snooping tools in general for spying on US citizens.
For deniability and for control, the departments were not created under the umbrella of the CIA, the NSA nor even the NRO.
The Executive branch of government created one small software writing department controlled by the president and his cronies and secret service.
The Judicial branch created one not affiliated with the FBI strongly, but perhaps so.
Each has miniscule budgets for employees and staffing of about 16 million bucks a year.... totally negligible compared to the billions the NRO consumes tapping space-borne telephone calls.
But these small departments make tools to intercept PGP passphrases for black-bag no-knock warrentless searches, and other naughty tools that emit bursts of modulated energy by tickling RAM on motherboard of uncached data lines to enhance greatly the Tempest emmisions.
This modulated energy is usually burst and spread just after an ATA-IDE disk access so that it is less detectable by studying relationships between typing and monitoring using FM bugsweep tools.
The data from these tools can then be seen outside the system and can contain all sorts of goodies, emails, passphrases, even one-bit compressed images of screen updated areas.
Anyway, its not bullshit. Just search the nets older press releases and read cryptome.org more often.
and for goodness sake, only use a laptop for your pgp mail and always store all data in a pgpdisk volume and use a hack to click-enter your passphrase from a tablet of fuzzy edged glyphs randomly plotted, instead of the usb and adb tappable HID devices such as modern keyboards.
I am all certain you know all about the hardware keyboard loggers.
life sucks
More practically, it's a very bad design practice to only sabotage something a small ammount. You never really know how badly you've sabotaged it. If you want it to work, design it to work as well as possible. If you want it to fail, make sure there aare more bugs than lines of code. In the middle ground lies chaos. There are always more cases than you thought of. Read about the Therac-25 sometime. Nobody is always as smart as they think they are. It's a fact of life. They can't make their virus checkers only ignore Magic Lantern without explicitly puting in a definition for magic lantern and then telling it to lie to the user. This is dumb, as anyone can then extract Magic Lantern's definition. Any other solution will allow something very similar to Magic lantern to go undetected. It isn't even necessarily a case of just not including a definition. The future of virus/trojan/worm detection is observing malicious patterns. Magic Lantern can't behave that much differently than other malicious code, so future detectors will have to be specifically written to ignore Magic Lantern.
Unfortunately, it only takes a hex editor to change the IP address or DNS name to "phone home", or whatever. Black hats will have coppies of this grabbed by packet sniffers, just hopefully it will be discarded for not having the string "password" in plain text. There's enough sniffing going on, particularly near systems that have been used for illegal purposes. "Oh, I guess his box was cracked, it was some guy in Elbonia remotely comiting the crimes after all. Oh? Packet sniffer installed? Oh well, I guess the Elbonian mafia has Magic Latern too."
Even if there was more sophisticated protection, the reward of an undetectable trojan means that a lot of people will be investing lots of time in acquiring and cracking this thing. You think Sadam or Al Qaeda won't have any uses for an undetectable trojan? Hopefully the FBI starts adding Magic Latern to its own virus definitions, otherwise this thing could backfire. "What do you mean? We're the ones sending out Magic Latern you idiot, it's being stored on some of our machines. What do you mean it's RUNNING on ALL of our machines? Hmm... so you mean to tell me that the illegal Elbonian imiigrants modified it and sent it back? Okay.. note to self... all further notes on the Elbonian connection must not be typed into a computer or mentioned over IP telephones. Hey, can you have 500 reams of loose-leaf lined paper sent over ASAP?"
I've always wondered how well reviewed small government-only software programs are. Will the zip-of-death lock up Carnivore? What about FBI agents that try to open a captured copy of the zip-of-death. HD space exhaustion probably is not a pretty thing to whitness.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
If you have that much faith in firewalls, good luck with the next Microsoft worm du jour. Between MSN and Microsoft Update there have got to be plenty of holes not yet "discovered". For the conspiracy minded, consider why DOJ is trying to be so nice to Microsoft. Considering that Microsoft if living with Code Red and Nimda, something minor like helping out our war effort should be easy, very easy to spin.
Why hasn't anyone thought of this before?..
Its a bit insane but think about it..
This would ideally be applied to jxtra (www.jxta.org) - suns peer to peer protcal layor (different things can be put ontop, like a web browser, a IM message,file sharing, etc).
Have the a key/checksum on the file itself. Then to authenticate, connect to the p2p network. Each host would have their own UNIQUE key. The longer a machine is up the more trust. Nearby machines get the key as well.
So, to authenticate the program goes and finds a bunch of random machines, asks what their keys are and what the key is for the package file. Then, you check the machines keys with other machines to make sure they can be "trusted". This would be a cross between the gpg signing "web" and p2p networking.
So the machines that have been on longer can be trusted more. This is to prevent a machine at the isp to generate new keys on the spot (or use the same one over and over again). It would have to be around for a resonable amount of time (24 hours?).
So each time you check package x, at random a series of "hosts" are asked what their checksums are for package x. For the paranoid, could add some route/different isp checking as well. Let say it asks 20 machines. If all match, then odds are pretty good its correct. Also, each host's key would have to be unique and "trusted". Then you can go out onto 100's (even more?) of hosts to check.
True, (in theory) it would be possiable to fiter for those specific requests, generate a seperate key for a bunch of ip's RANDOMLY and have them authenticate with each other, but that would be quite difficult. In order to do that, they would essentially have your connection severed from the net, with no direct path and on a "virtual" network, in which case your screwed anyway.
It isn't the most efficent way, but probably about as secure as you could get. Well, without being the govenment itself ^_^.
I wonder what impact will that Magic Lantern thing have on the USA international relations? Good or bad, your FBI may do what it pleases at home but I don't want any foreign spyware on my computer here!!!
Also, even if such use is authorized by the US government, does FBI has the right to spy on foreigners outside the USA? I thought CIA exists for that purpose :-)
And why is the corporation, err, government, keeping what they are doing secret? If they aren't procecuting the wrong folks, then there isn't much of a need for them to avoid telling everyone who they are tapping, is there?
If companies weren't doing something wrong, like Enron, they shouldn't be allowed NDA's and "trade secrets," should they?
It isn't hard to read. It is available online for free reading. Have a look. I took the time out to read it - and now I know what the parent to this post is on about.
In both cases:
Writing letters to your representatives and starting petitions about strengthening the oversight mechanisms over the FBI makes a lot more sense, just like the FBI using other methods to gather intelligence on criminals makes more sense than banning strong encryption.
Light a fire for a man and he'll be warm for a day. Light a man on fire and he'll be warm for the rest of his life.
This post will probably never be seen since I'm a latecomer to the conversation, but I knew a fellow a few years back that would never be affected by a keylogger. His method would work for bypassing any keylogger, but would probably be most useful to touch-typists as a way to not use the keyboard for entering passwords.
He claimed he was a terrible typist. I couldn't tell though, because he didn't touch the keyboard. He would literally copy and paste every character he entered. While this would be tedious for all typing, it strikes me that would be a good way to enter passwords if you're concerned about a keylogger.
That generally wouldn't work for whole-system logins, but it would work for encrypted files and other "lesser" logins. Copy a letter from this page, a letter from that, paste it in your password box, and I doubt seriously even a macro recorder could follow what you're doing.
And watch my OpenBSD box crunch, crunch away. Mmmm, nice box.
Magic Lantern in the source tree of an OS hosted in Canada? Homey don't think so.
The Savage is the one who hangs himself at the end of BNW, NOT Bernard Marx. This makes for a drastically different interpretation than the direction you are wandering toward. If your understanding of the story is reflected in your post, then I would hate to think what your grasp of other works of literature are.
First - I don't think this is going to be used to catch one 'terrorist'. Not saying that it's going to be a complete failure... but that they are more using this to go after those 'Drink or Die' types. [makes sense, we are getting ready for DRM right?]
... \\\
Second - Get out your history books and find the word communist. Scratch out all references, and put the word terrorist over it. Read that. That is what is going to start.
Everyone applauded Bush after the attacks on Afghanistan and we love it when he makes those jokes, but I don't think he's the right person to be in that position. Boundries will be overstepped. John Ashcroft... what a joke, should be be John Stalin.
Also, I think I may have this 'virus' because everytime I try to download something from alt.binaries.pictures.centerfolds.playboy my USB cable modem goes off. Something doesn't seem right here.
\
\
\
Get your Unix fortune now!
I am Australian. I use American antivirus software. There is no indication that Symantec or McAfee are going to protect their Australian consumers from the American government.
Most of this discussion has centred on the FBI invading domestic computers. I am more concerned, not personally, but ethically as a global citizen, with the CIA or another US body using this technique to invade my country's rights.
I have no recompense, short of diplomatic channels, or through whatever (uberexpensive) international anti-espionage laws , at stopping this.
Magic Lantern is a very blunt intelligence instrument. Right now (and the irony is NOT lost on me) all I have to be thankful for is that my sychophantic Prime Minister has been licking Dubwya's scrotum so much lately that Australians are probably far down the list of suitable intelligence targets.
"If you create user accounts, by default, they will have an account type of Administrator with no password." KB Q293834
.. since we all know that terrorists use Playstation2's for their trajectory calculations...
The question is, when will the FBI confirm the existence of the Green Lantern?
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
Ditch your Nortons and Mcafee rubbish and get yourself a decent virus scanner. www.kaspersky.com
Their page also has an article about it along with links to other news sources.
With all of that in mind, I decided to find out just how vulnerable I was. I set up a stock Debian 2.2r3 box... I went to the Debian box and typed 'apt-get update ; apt-get upgrade'. After a few routine prompts, none of which triggered security alerts, the box was rooted by my "custom" package.
Progeny Linux Systems wrote, tested, deployed, and submitted as patches to Debian, code to implement cryptographic package signatures. Some of the patches now exist in dpkg CVS, but Wichert Akkerman rejected others. Part of it had to do with a command that would prompt you (package maintainer) for your GPG passphrase and cache it so that it could be applied to each binary package (consider how tedious it would be to re-type the passphrase for each binary package in a package like XFree86, which has dozens; moreover, you're no *more* susceptible to a keystroke logger if the passphrase is cached). Anyway, this tool was written in C for security (locked memory pages), but Wichert wanted a version in Python instead, so he never accepted the code.
I never have quite figured that one out.
Anyway, since Progeny ceased development on its own distribution, not much work has been done on our signed package implementation. The code has already been publicly released; maybe it's time for people in the Debian community to take up the fight?
The specification, authored jointly by Ben Collins and John Goerzen, allows for multiple signatures per package. I wrote a policy administration tool called apt-checksigs that would let the user configure the strictness of signature checking on a per-repository basis.
Is anyone interested in this stuff?
Address-collecting spam robots don't know how to crack ROT13. Do you?
What whould happen if a company like intel will work with the FBI????
=rant= Want to fight back against this crap? I say e-mail everyone you know with something about killing the president or sending anthrax to the Pentagon. Hell, put it in your sig, and tell everyone you know to do the same. This is bullshit, and it won't prevent someone sending an assassination message in morse code, or even pig latin, for god's sake.
What will they do when someone smuggles a ceramic knife onto an airplane in their shoe? Strip search everyone and X-Ray their clothes? Idle bitching on the 'net is all well and good, but take some bloody action. I'm a college student, and I see people protesting things all the time. Does it ever do anything? No. We all like to sit around and talk to our friends who agree with us, but strap on some balls and take the offensive, and convince somebody who's not already on your side. =/rant=
This is Orwell not Huxley...
Negative, I am a meat popcicle.
you hear about the i-love-you, mellisa virus etc etc and the authors being arrested and so forth.. can i call the FBI to chase the FBI once this sucker is on the loose?
Actually the apostrophe in that situation defines ownership.......so no, you don't know how commas work FOOL!
Real interesting.
For whatever purpose (I don't believe it has a legal background) an American goverment agency codes a backdoor and Antivirus companies offically declare they won't detect that one.
I want to know if it has a legal background and also how it will affect whole Internet? E.g. when that trojan "accidentally" installs to a top non-usa goverments top secret machine?
I have been to http://www.avp.ru , they seem totally neutral for now even though you "feel" they try to mean "we will detect it, it is just another virus for us and we aren't a USA company"
I can't believe we don't see thousands of feedbacks on this issue... An offical trojan? Seems everyone forgot there are other countries exist on the Net rather than USA...
yeap, I seem confused and yes I am really confused!
I thought the story after the FBI story was more interesting.
Now, that's what I call carnivore!
Vaya con huevos, my darling.
Because everyone knows that some warez group will have it out soon after. All the 5cr|p7 ||dd|35 will be like "|-|311z `/34!! /\/0 m0r3 B.0."
This will leave a gaping hole in all AV setups I think. Makes me glad I'm running everything on FreeBSD here at home :-)
I think what he say's about this virus being developed is actually scarier than the actual virus itself. He said that everyone should give the government access to their computers, even if it means through a back door. Without warning.
I kind of expect this behavior from the government, but to have a computer virus expert condone this behavior is really frightening to my sense of freedom.
My only hope is that someone comes out with an antivirus protection against this thing as soon as it comes out. Something tells me that the government isn't going to look over linux computers like most virus designers.
--theKiyote
I think welcome to Oceania is a much better comment. A Brave New World has more to do with the government making people happy.
I think my principles are reachin' an all time low
The funny thing is, Congress didn't tell Janet "the Waco wacko" Reno to create and deploy Carnivore and to authorize development of Magic Lantern. And Congress didn't tell John "junior Fuhrer" Ashcroft to continue deploying the former and developing the latter.
We know this because even the Congressional leadership didn't know about them, as evidenced by the hearings certain privacy-conscious sons of liberty among them demanded once Carnivore became known. The fact is the executive branch does most of what it does without any Congressional approval at all. Or what would you call President Bush's fiat about using military tribunals, an order which the Legislative branch did not authorize and, though most support it, almost all complain that they weren't even consulted.
You're quite naive if you believe this nation still operates as the Constitution intended it to. Instead of the Legislative branch setting things into motion through passing laws, the Executive branch carrying those laws out, and the Judicial branch overturning laws when necessary and interpreting them in just ways, it now works like this:
The Executive branch sets things into motion by executive order and abuse of over-broadened discretion; the Legislative branch quite rarely then puts the Executive back in its place by passing laws to curb its abuses, but much more often is too busy setting other abuses into motion through its own powers, such as CDA, COPA, DMCA, SSSCA, etc., which generally serve to magnify and reinforce the abuses of the Executive branch; meanwhile the Judicial branch occasionally slaps down a particular abusive law or executive practice only to be largely ignored and "worked around" by those other two branches who just keep hawking the same old abuses of liberty under new bills of sale, ceaselessly, since the actions of the Judicial have no bearing at all on what the Legislative and Executive branches have the power to do--write the same policy up into different words and all of a sudden it's a new law or executive order, which has to be nullified by a Court again through the same long and painful process, even though it's essentially the same abuse. Not that the Judicial branch can be trusted to defend liberty much better than the other two, though--cf. the insane decision upholding anti-sodomy laws by the High Court in *Bowers v. Hardwick*, which boils down to "your right to privacy doesn't include the right to go against mainstream moral teachings." Read the text of the decision--it actually uses the word "morality," as if the Judicial branch is there to enforce subjective Christian moral concepts rather than invoke objective attempts at justice.
To put it simply, the FBI has a Congressional mandate to arrest people for breaking laws, but it does not have a Congressional mandate to do whatever it wants and invent any methods of snooping it wants while investigating people it desires to arrest. The unfortunate part is that the Legislative branch is too busy violating our other rights and taking corporate perks to ever use its power to restrain the FBI by law, while the Judicial branch is so slow and addlepated that multitudes of people will have the FBI's Orwellian thoughtcrime-control toys unleashed on them before it ever decides to uphold or invalidate these invasions. Not that we can trust it to make the right decision anyway, considering that it won't even let me lick my adult and consenting wife or girlfriend's pussy in private.
Thomas Jefferson was right, my friends--"An elective despotism was not the government we fought for."
Chasing Amy
(We all chase Amy...)
"The more corrupt the state, the more numerous the laws"-Tacitus
...that has such people in't!" --Shakespeare
In case you couldn't tell, he was being sarcastic.
Huxley's book derives its title from a scene in The Tempest, in which Miranda, upon meeting a bunch of royal bad guys--whom she naively perceives as regal, not as the bunch of usurping, murderous scum they really are under their shiny hats--says "O wonder! How many goodly creatures are there here! How beauteous mankind is! O brave new world that has such people in't!" to which Prospero--sad cynic, curmudgeonly nihilist, all-around smarty-pants, exiled in a world of criminal dipshits--says "'Tis new to thee."
Not an inappropriate sentiment, in this case.
But of course you knew that.
Your mouth is like Columbus Day.
Where is my tin foil hat! :-P
It's actually very sad when a government is alsmot at war with it's citizens. They'll catch tons of pass phrases in order to get 5 they really need. All I can say is I really hope that it isn't ported to Linux or BSD.
Hey, when is this thing going to work? 100% sure someone will make a way to remove the 'Magic Lantern' from your computer the minute after it's released.
People already manage to break into computers and softwares. The Windows XP warez version was getting trade on the internet 4 hours after it was released. (okay, lame point for secure system, but you get the picture)
If there are people that can crack whole operating systems, what skills will be needed to remove a simple trojan horse? It's not like the most difficult job in the world. The Magic Lantern will simple not work, specially for folks who do NOT want it to.
Buy a Nintendo DS Lite
If the Antivirus software does not stop this "virus" they won't in other countries as well... Is this another "USA is the world police" thingy?
"If you keep an open mind people will throw a lot of garbage in it."
This is not about the FBI using this to catch the bad guys. This is about the FBI having a means of breaching privacy and security in a way that's just sick.
Say McAfee was purposefully flawed and let this thing through. We use McAfee at work, too. Bang, any encrypted data stored on a networked computer there is instantly vulnerable, and can be traded off. They've done it before, haven't they?
And then there's privacy at stake.
The Magic Lantern isn't going to be a self-propagating worm or virus like many others like Code Red/SirCam. Each computer will have to be individually chosen to be compromised by the FBI. What you are thinking of is called Polymorphism. Many old virii were written using this idea. Many others would do things like compress, and randomly recompress with a different seed to generate a different size/content virus. The problem is, the decompress routine must be uncompressed(obviously) in order for it to function.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
Can I sue the US Government for privacy infractions and computer crimes if I find this program on my PC? Can my government sue the US Government for the same?
Don't worry, noone will ever accuse Australians of having any intelligence to target.
*rimshot*
the surprise is NOT that it exists, but that the FBI confirms its existence.
I don't really see the problem with the AV vendors overlooking ML. No, I'm not mad - bear with me for a moment:
First - think about how AV software works. It usually scans a file when it's accesed for certain known patterns - the virus signatures. Every virus/trojan/worm have their more or less unique signature which is used to identify it. So, when AV vendors say they won't detect it they software is not deliberately letting ML through - the software just will not have a signature for ML, and therefore it won't be recognized as a trojan.
This is not a hole.
It's just how antivirus software works - looking for known malware patterns.
Now, if I were to make my own personal Magic Lantern, I could theoretically modify FBIs software, or write my own. They will both be equally undetectable. Now, when certain AV vendors say the won't look for ML it is in fact good - because they are open about it. You KNOW their software won't detect it, and if you feel threatened by it you are free to change vendor and add in additional layers of paranoia (Firewalls, IDS, tripwire).
If we are going to hate AV vendors for something, we could just as well blame them for not including anti-spyware in their signature files. They have overlooked this specific kind of malware for years, and not many have raised their voices about it.
I'm more scared of the methods they intend to infect their targets - pushing ISPs into modifying data as it arrives at the victim's computer is just plain scary.
Then again, it's FBI we're talking about. For the most part they play by the rules. And if you're really so scared about Magic Lantern, you should be scared about phone wiretaps and Tempest too. They are all equally privacy-invading technologies, but very few of us encrypt our telephone calls or install lead-walls to protect our privacy.
I'm not saying that Magic Lantern is a good thing (it's not), but the AV vendors are not trying to make a gaping hole in you computer, and shouldn't be accused of such things.
Have an antivirus company move a large part of its assets into banks in one or more countries other than its home country.
Give a lawyer in each country bank account number and legal duty to withdraw all the money when it has been proven that that company has been compromised. The lawyer must open a new bank account for a competitor who has never been compromised.
Something tells me we will end up pretty quickly with a well-funded open source antivirus company!
Many redundant copies, each signed by a different trusted 'good guy', for each checksum in the repository.
At least the FBI would have to work that much harder before it could get all the signers nobbled (or trojaned)...
((Of course, we would still have to obtain trusted copies of the signers' public keys -- from a non-internet source presumably, magazine cover CDs perhaps ?))
Man who at the FBI fucking thought this stupid shit up. I wonder if the FBI really and truely thinks that 1) this will not catch anybody that is moderately aware of anything about computers 2) that it would actually catch someone doing something wrong? There's far too many ways for knowlegable users to get around stuff like this and somebody somewhere is going to write a little hack that will find and kill the virus. Carnivore is a retarded dragnet intended to make the FBI look less like a giant pile of shit because somehow people will feel secure if they know terrorists can't e-mail each other using hidden messages. Magic Lantern is just an addition to a shitty idea which is only going to cause the FBI more problems. ML will get isolated and someone will use it for their own purposes. It is as fucking simple as that. The first case of the virus being used by a "hacker terrorist" to infect a company and cause them "billions" of dollars in damages the FBI is going to once again look like a big pile of shit. On top of that the damn thing will probably never catch a terrorist. With the proliferation of computers and internet access anywhere it would be hard to catch anybody sending messages to someone. Like the terrorists in Semptember, they used a public library's fucking computer to send e-mails to people. They didn't encrypt anything, they just sent a coded message. This post could be a coded message and nobody would fucking know it unless they knew what to look for. Maybe instead of writing computer virii the FBI should look up the research the CIA did on ESP. That'd probably find them more fucking criminals. Hopefully they start with their directorate and work their way down.
I'm a loner Dottie, a Rebel.
There's already software out there that records and sends keystrokes and mouse clicks to another party. It's called "clickcatcher" and I've found it on my computer. It was found running, and hidden, whenever I started my browser Netscape 4.78. That's on a G4 Mac with OS 9.1.
I found it because it screwed up my system. It started every time I started the browser. But it didn't shutdown when the browser was closed. And it wouldn't shut down..period. That caused my computer to refuse to shut down because it couldn't shut down this hidden program. And that's what caused me do search and find it.
AV software (Virex) did not find it. If it didn't cause my computer to refuse to shut down... I may not have noticed it for quite a while. I don't know how long it's been there, or who it was sending this information too. Has anyone heard of something called clickcatcher?
If this gets near to law over your side of the pond, I shall certainly be voicing my opinion to my government. I suggest the rest of the internet does the same.
It seems to me that sooner or later these two government projects are going to come into conflict and it will be very interesting to see who comes out on top.
Why not do some fancy engineering footwork that would make it so that if I type "asdf", the Magic Lantern software would think I typed "jkl;", but my computer itself would read correctly as "asdf". Because the FBI would never physically have my keyboard, they would never have anything to match up the "jkl;" to, so they would never be able to determine what my real keystrokes were. I've gotta believe that is completely possible, and once something like that is available, it would forever be impossible to track keystrokes. Yes, it's a simplified example, but directionally speaking, that has got to be a viable solution. ...??...
with all your rants about big gov taking away your freedoms. Could it be that politics is a big circle and that a very thin line, if it exists at all, separates the extreme left from the extreme right?
Thomas C Green's arrogance is matched only by his ignorance, which is now plain for all to see. It is obvious the real target of his article was revealed in the hysterical rants, for which the "Magic Lantern" flub was only a pretext.
Since when is keystoking a new and miraculous invention of the FBI? So they employed some virus writers to string together a few exploits with a keystroke logger- this somehow makes it a new technology? Or is it because the FBI developed it that exploits have changed or that you should suddenly be concerned with intrusion detection? This is obviously unethical, but if you have illegal content on your box it should be protected IF you really think it should be online!
[fbi.exe has preformed an illegal operation]
dammit, how many times do I have to reinstall this thing before it works?!
GPG keys of all Debian package maintainers are known (www.debian.org/devel/join/nm-amhowto), and dpkg-buildpackage which is used to build a package does sign the package.
--- Hindsight is 20/20, but walking backwards is not the answer.
The great thing is, if ML ends up on my computer [in the UK] under the misuse of computers act, 1992 [iirc] I have a lovely target with which to imprison and sue for damages.
roll on the money!
and if they release this, surely it is a "circumvention" device anyway - after all, it is designed to get around security....justa thought or 2
Put a copy of Tripwire on the CD-R and occaisonally boot from it to confirm the integrity of the OS on disk. There could even be a script to run diff on a pair of files if Tripwire notices something screwy. I wonder how long it's going to be before their little keylogger gets very loudly posted to USENET.
What happened to the "it has" rule? Please consult your local friendly dictionary.
And while we're at it:
anyways
irregardless (which is now in the dictionary...)
Lie-nix vs Lin-ix (long i vs short is the point)
(and, yes, I've heard Torvolds say it so we could add "lee-nix" to the mix).
Hmmm, I think I'm sweating the small stuff - time for some small deodorant!
"Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety." -- Benjamin Franklin
;)
I don't think so.
"Break out the gin, and the small violin, I'm a raging success as a failure." --Firewater
If US-gov can enforce backdoors in AV-software,
can the UK, german, franch, iraq, libien, cuban governements enforce also their backdoors in any AV-software?????
And does the German backdoor conflicts with the US-backdoor?
In stead of AV-software, it looks more like a toolkit for installing viri and backdoors (well looks more like a front gate to me) for any organisation who claims to be defending their version of "truth, freedom" , and their god-given-right to do what ever they like at the costs of other peoples rights and freedom....
I even wonder why i should pay for these products contaminated by state sponsored terrorists.
It should have been the other way round:
For the privilege that THEY can poke around on MY systems, i demand a paycheck from CIA, FBI, MI-5, MI-6, KGB, Deuxieme Bureau (who else want to contribute)......
Hackin' Hans
There were 5 instances of the f-word and 4 instances of the s-word. Just what were you trying to tell somebody.
1 s 1 f - Buy booze
1 s 2 f - Fly plane into building......
After a couple of years of reading slashdot, I think I have built up a resistance to bad grammar. I don't even notice these anymore. Sometimes I even forget that you don't spell hacker with a 4 and an x.
Robotiq.com is heavily tested on animals
Welcome to a Brave New World
Wrong book.
First point: And everybody here should know this. If you have really sensitive info, the stuff you don't want anybody to read, you are stupid to have it on a computer connected to the net.
Second point: Brave New World?? READ THE BOOK!! You are thinking of 1984, in Brave New World there was no reason to spy, people were all hooked on soma and sex.
You state that "one or two cases of the FBI overtepping its bound" would be likely. I think the very fact that millions of "overstepping" cases are possible, without our knowledge, is the bigger problem, by FAR. You have quite a naive trust of our government, and I would rather they didn't have that power.
A criminal shouldn't be sought after until they have shown criminal intent. Then and only then should they be investigated.
Magic Lantern is used to gain information. If you think that millions were spent to check Johnny pedophile's E-mail, you're wrong, and would STILL be illegal without a warrant.
I don't understand why people aren't up in arms about this. The damage to psychological freedom far outweighs the benefit of catching www criminals, which again, is a secondary use of this technology.
IMHO, we're getting the PR version, and we're eating it up.
As some of the other have pointed out... it is possible to 'tap' a user without being suspected. Ok, there are a issues such as anti-virus software.. ISPs etc, but when the FBI can do it... and its public knowledge, how far further are the real elites ? What is the potential of the FBI when they are not actually telling us all they know (not that they have to).
The violence at Ruby Ridge happened in 1992. Bush was President. Jante Reno was not Attorney General.
So, if I discover I have Magic Lantern on my computer, can I sue for an electronic attack, illegal search and siesure, or both?
Zone Alarm seems to secure Win2k nicely and if you were paranoid about open connections couldn't you execute the "netstat" command? There has to be an open port that, "Green Lantern" leaves open. Just some thoughts and if anyone has the answers please let me know. Peace.
Um... If this works so well what's to stop joe hacker from key logging the FBI? Things work both ways people.
You're damned if you do and you're damned if you don't, because you need to download the wuftpd-of-the-week sometime.
What I would like to know is how many terroists insist upon running anonymous ftp from their warboxen.
Maybe if you simply turn off the unnecessary services that you never use, it wont be as much of a problem.
The point is that those signatures aren't available anywhere except by doing something like searching the debian-devel-changes archives. (The .changes files, which contain those signatures, aren't in the debian mirrors, though the signed .dsc file is; however, this is only sufficient to verify the integrity of the source code, not the binaries)
Once a binary package has been installed in the debian mirror system, there's *NOTHING* in the package file itself to guarantee that it hasn't been tampered with.
Don't cha think preventitive warfare is in order.
You know, like preventitive healthcare.
osearth - Who are the real terrorist?
"If we were at war the government would be able to require technology companies to cooperate, I believe, in a number of ways, including getting back door access to information and computer systems."
The government and microsoft get back door action... I knew they'd f*ck me hard one of these days.
I'm not here. This isn't happening.
'When asked if Magic Lantern would require a court order for the FBI to use it, as existing keystroke logger technology does, Bresson said: "Like all technology projects or tools deployed by the FBI it would be used pursuant to the appropriate legal process."' He sheepishly looked down at his feet for a moment, then exclamed: "I had chili for lunch today!"
If these walls could talk they'd probly still ignore me. --MF DOOM
I am truly fucking sick of typing in a response to someone's post on slashdot and having to think "Should I copy before I hit preview?" because if I don't I just might lose completely what I typed and be redirected to some far off corner of Slashdot. What a piece of shit. Fuck this forum.
Now, if they ( the ever ubiquitous "they" ) were putting drugs ( got soma? ) into the water, then it'd be more similar to BNW, but instead it's the Government furthering it's ability to monitor the activities of it's citizen's, which strikes me as much more Orewllian.
Okay, back to your regulary scheduled MS sucks/Linux rules/I hate Katz ranting.
Remember, "a gramme is better than a damn!" :)
---
Segmentation Fault ( core dumped )
By checking that checkbox, it only pertains to that session. If you reboot, you will need to checkmark it again if you need to install it again (which usually happens when the next version of IE comes out).
... not alter there software to stop it from detecting viruses.
Assuming magic latern is different enough from every other virus, I don't see a commitmant to include that in the virus signatures.
Is it possible the FBI said "shut up and stop telling people you dumbasses otherwise the bad men won't use your software".
I can picture a criminal getting this e-mail.
to: osama.binladen@aol.com
from: magic.doughnut@fbi.gov
Please do not install the latest patches from Microsoft, the security issues that the patch solves also sends your women to school
signed
big brother
Ok, we have a sniffer on our keyboard. But who said we need to type out our passwords just like that? We can encrypt them!
Just take your favourite PDA or a computer that's not networked anywhere. Then write a piece of software, that, when asked, XORs any string (your password) with a one-time pad. Once done, this software returns you an encrypted password and a PIN code (for example an offset number). This PIN code will be fed into a decipher software (which XORs the "encrypted" passwords again with the same one-time pad), and ta-da, you have succesfully encrypted your keystroke traffic on those parts that need encryption the most.
__
Zarathustra.fi
Modern man has no goal, no aim, no ideals.
Does anyone else find it interesting that this was announced at the same time the Bin Ladin tape was released? I just visited CNN, and off to the side of the big story, I saw little links telling me that the U.S. has just pulled out of the ABM treaty, the army has admitted to producing anthrax in Utah, and that the FBI has confirmed the existence of Magic Lantern... unbelievable.
If John Ashcroft wants to read everyone's email, let him. I propose that, from now on, everyone put AskDOJ@usdoj.gov in the cc: field of all your personal emails. (That's John Ashcroft's "official" email address, as posted on the DOJ web site. Pretty lame, eh?)
Now, why is this a terrorist act, and why am I thus posting as AC? Because it could be construed as a denial of service attack on the DOJ mail server. DOS attacks "calculated to influence or affect the conduct of government by intimidation or coercion...or to retaliate against government conduct." are among those "hacks" now considered terrorist acts.
If you live in the U.S.A. be afraid. Be very afraid.
Hello civil liberties lawsuit!
American style would call for "period." Morons! and not "period". Morons! Interesting that you punctuated in the Brit style that you don't seem to care for.
i am an american and was "educated" in american schools. i always fought with my teachers about placement of end punctuation vis-a-vis the quotation marks. my sophomore year in high school i finally decided that i was going to place the period/exclamation/question outside the quotes, and if they wanted to deduct points i really didn't care. this was bad for my grades but good for my character, because i learned that being deliberately wrong can be satisfying.
of course, these days, postpostpostmodern formlessness has eaten my writing habits -- i mean, i can't remember when the last time was that i wrote anything that wasn't email or requests for video section reposts on a.b.m.e.m.
writing is dead, long live the written word!
Hollywood, Television, has become the dream machine. We need to take that back; each of us is a Dream Machine
and now that you, in you'r infinite wisdom, have abolished the difference between nouns and pronouns, whats next on you'r agenda?
i recommendation verbs and nouns. i always mixture verbs and nouns and belief that they debt change. you belief so too, eh?
As a matter of comparison, my Windows 2000 box has no such vulnerability. The first time I went to Windows Update, I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine. Even if the FBI forces Verisign to issue an impostor certificate, it will be detected and thwarted
I applaud your investigation of the security flaws inherent in package updating, but do you really trust Microsoft to not cooperate with the FBI (i.e. provide a 'genuine' Microsoft certificate) in exchange for more federally-redeemable Brownie Points?
Make your voice get heard by those who supposedly represent you! Follow this ACLU link and email the Bureau of Prisons today! (and mention this slashdot article too, perhaps they'll actually read about what they fail to represent).
Use my userscript to add story images to Slashdot. There's no going back.
The only defense for an attack which was described here that I can think of, is to have a distributed network of CRC values for all files; in a gnutella-type fashion - then once you've downloaded your binary; you can verify your CRC with thousands of others who have the same file.
Just my thought - it would make *me* feel safer.
You can run but you can't hide, except, apparently, along the Afghan-Pakistani border.
right now its:
I went to McAffee's web site to look up information about their antivirus products. And this is what it says:
I don't want to run any of their apps. I wanted to look at a web page and find out about what products they have. But they don't want me. Fine, I'll look at someone else's products instead.
I guess this isn't really a big issue for McAffee, because most of the people who would need Windows virus cleanup tools, would be the same exact kind of people who would have Javascript enabled. Strong correction, little actual marketshare loss.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I certainly have thought that the government has back doors in commercial software. I am sure they have designed it and are implementing it today. This Magic Lantern stuff is misdirection, I rather believe that parts of windows is being modified with Backdoors developed that lay dormant until activated as to avoid detection. Think it could be hidden in microsofts product activation, communicating over that protocol, or being activated and sending out information every time you send mail. Lets face it the government employs some very smart people, I am sure they have developed hacks for cell phones and cordless telephones, they have the capability to tap any phone line and probably privileged access to many corporate computers. US intelligence funding goes mainly to technology what exactly do we do with it.
Tsck Tcsk, I would expect better from someone named 4of12 and a self proported Star Trek viewer. Say it with me now, Holodeck. Holo, like Hologram or Holography. And BTW it's Moriarty.
On the flipside, I do think your analogy of Moriarty's holodeck is a pretty good one.
man RTFM
No manual entry for RTFM.
Not the 2nd amendment ... as Ashcroft has said, we can't violate the rights of terrorists to buy guns.
I agree, what a bunch of loosers!
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Do not get so worked up. All the FBI really did was say, "Tag , you're it!". Getting mad doesn't fix the problem at hand. And if you don't see a problem, heh, goooood.
Here's my thought:
bootable OpenBSD cd that has the normal desktop OS packages on it, so that I can boot into an X session from the CD.
It will use tmp space on the hard drive or RAM for working within (emails, documents, etc.) and save to floppies or CDR if I must.
If I get magic lanterned during a session, all I have to do is reboot (dumping RAM and tmp space) and keep going.
So, while not perfect, it will keep me from being keylogged for long, even if security through obscurity (openBSD) fails me.
Now, if Plan9 or Atheos were me choice, and able to do this, I'd be pretty well obscured from magic lantern. I wonder how good OpenStep would be at this?
Stupid question perhaps...I may have misread...
The spokesperson stated that they would have to use the appropriate legal channels to use ML...does this mean that they have to have a warrant to install the trojanon suspect systems? If so, how do they target that particular system, especially if they are using IDS's? I can see how they could force a major corporation (such as Microsoft) to bundle the trojan with a patch/SP which everyone who runs that system would use, but again, if they have to get a warrant to install it, it becomes impossible to target a specific system for install...
Am I clueless here?
"The difference between meat and fish is that if you beat your fish it dies"
that's because they are seperate words that already MEAN possesive. its is NOT a seperate word from it, it just has an affix stuck on. and in case you hadn't noticed, it's the ONLY word where the possesive affix "can't" have the appostraphe.
No dick cheese, "its" IS a separate word that means possesive, that's the whole fucking point! It is exactly the same as "his" and "hers" which is why I made the comparison. The pronoun is "he", and the possessive form of that pronoun is "his". The pronoun is "she", and the possessive form of that pronoun is "hers". The pronoun is "it", the possessive form of that pronoun is "its". But for some reason you and a million other lemmings insist on putting an apostrophe in the middle of it. "its" and "it's" are are two different words and they mean entirely different things!
There is a very simple rule to follow: If you ever consider using "it's" in a sentence, replace "it's" with "it is" or "it has". If the sentence still makes sense, then "it's" is correct.
Example: "I have a cat. It's brown." Now for the test: "I have a cat. It is brown." That makes sense, so "it's" is OK.
Now for another: "I have a cat. It's paws are dirty." And the test: "I have a cat. It is paws are dirty." Doesn't make sense does it, so "it's" cannot be used.
Make sure you do your research before bashing someone about the correctness of something that is easily verified. It's as simple as going to Dictionary.com:
Usage Note: Its is the possessive form of the pronoun it and is correctly written without an apostrophe. It should not be confused with the contraction it's (for it is or it has), which should always have an apostrophe.
If it's too hard a concept for you to grasp that maybe it should work just like every other word out there, and make things easier for us, then I fully expect yopu to be using whom wherever it is called for, as well as quite using conjunctions in written speech, as those are equally "incorrect".
The difficulting in grasping is with you and the other morons that can't understand that "its" and "it's" DO work just like every other word out there! By "easier for us" you mean "let us use whichever one we feel like typing, in whatever context and have it not be wrong." "Who" and "whom" is another elementary difference that should be easily understandable, as well as the relationship between "I" and "me". And contractions gained acceptance in the 1500s, and are easily recognized and understandable by everyone (when used correctly), so they ARE 'correct'.
The answer is not to allow every dipshit that doesn't want to learn the basic fundamentals of the most common words of his language to "change the rules" of that language to a dummer version. You would just keep dumbing down other words, but since there isn't any logic behind it, everyone won't be able to follow it equally. So you'll end up with the speech that 14 year old web site hackers currently use as "official English" while other equally corrupted versions are also "official English", and you start getting dialects within a language that other people can't understand, and prevent people from communicating with each other.
Yes, languages change. Yes, add new words to the language to describe a technology or idea that has not existed before. Yes, if an existing word's definition has been universally been altered to something significantly different from its old meaning, add that new meaning to the dictionary. But do NOT throw out the rules of grammar; that is not progress.
Sometimes the best solution to morale problems is just to fire all the unhappy people.
Half a day after FBI confirmed the existence of the Magic Lantern project (on Dec 12) CryptoHeaven released v1.0 build 7 of their client software with an optional Virtual Keyboard for passphrase entry to fight the key logging trojans. The privacy and security of the passphrase is of utmost importance to the clients. Virtual Keyboard is a graphical interface where users can select letters and symbols with a mouse from a randomly ordered list to form a passphrase, thus eliminating keyboard use. "We must fight for privacy and encourage other companies to do that too" developers spoke unanimously. http://www.cryptoheaven.com
<shameless plug> If you think there are valid reasons to get an offshore certificate to sign your packages, then see www.quovadisoffshore.com which is an offshore trusted third party certificate authority.</shameless plug>
I personally think the offshore cert is "safer" from compromise by US legal and business interests...
"I figure you're here 'cause you need some whacko who's willing to stick his finger in the fan. So who are we helping?
The FBI/DEA is using new technology to catch recreational ecstacy users. They implant a chip in pills to track dealers/users. Just one more invasion of our privacy... keep ur noses clean... ;-)
THANKS FEDS!
the link iz here www.overgrow.com/edge/sho...adid=82056