FBI Confirms Magic Lantern Existence

The_THOMAS (and many others) writes: "A day after major anti-virus firms waffle on their support for 'Magic Lantern', and nine days after Thomas C Greene of The Register tried to throw cold water on it's existence, the FBI Confirms the 'Magic Lantern' Project Exist. Welcome to a Brave New World!"

ITS

[Building]

ITS ITS ITS ITS ITS! NOT IT'S! AAAAAAAAGH! http://angryflower.com/bobsqu.gif

They can get us Linux users too

[dfeldman]

As an administrator of several Linux boxes at work and at home, I was wondering whether or not I could be affected by the "Magic Lantern" program. The results came in, and quite frankly, I am frightented.

To start, I talked with my colleague's brother, "Joe," who is a criminal defense attorney. Joe told me that he has been following the Magic Lantern debate very closely, because his sources indicate that the FBI will be using it in many, many cases to prevent the possibility of seizing equipment with undecryptable data on it. In fact, it has been rumored that the proposed new FBI policy regarding searches of premises requires agents to attempt to use Magic Lantern (which technically counts as a consensual search) prior to even obtaining a warrant, if the warrant is to seize computer hardware.

Joe is not very familiar with computer technology, but he did say that a large part of the Magic Lantern program involves contacting ISPs to allow the FBI to alter network data destined for the suspect's computer. I will take that at face value because they seem to have no problem pulling rank on ISPs. I suspect that their "do it or we'll arrest you" attitude plays a big part in this.

With all of that in mind, I decided to find out just how vulnerable I was. I set up a stock Debian 2.2r3 box, and a stock Red Hat 7.2 box. Both used the installation CDs produced at least a few months ago, so they were both vulnerable to the wu-ftpd exploit and would need to be upgraded for production use.

My goal was simple: I needed to play the part of the FBI, and trick my machines into accepting a trojaned version of the new wu-ftpd package.

First, I set up a transparent proxy on my gateway box, which is used to split my cable modem connection amongst my home machines and those of several neighbors. I used a program called "squirm" to rewrite URLs ending in .deb or .rpm so that they would be redirected to my local web server, from which the trojanned .deb and .rpm files would be served.

Second, I produced trojaned .deb and .rpm files. The .deb file was trivial to modify, as only a checksum stood between me and a valid hacked version. The .rpm was a bit more difficult, because RedHat signs their packages with a PGP key. However, once I rebuilt the package and did not sign it with PGP, I had a fixed package.

Third, I went to the Debian box and typed 'apt-get update ; apt-get upgrade'. After a few routine prompts, none of which triggered security alerts, the box was rooted by my "custom" package.

Fourth, I went to the Redhat box and did an 'rpm -U' pointed at the updates.redhat.com server. I got my trojanned RPM back, with no warnings or prompts to tell me it hasn't been signed. And I had an ftp server with a new backdoor up in a matter of minutes.

So, to summarize: the FBI can easily set up a transparent proxy between you and the Internet, and trick your OS into installing malware. You're damned if you do and you're damned if you don't, because you need to download the wuftpd-of-the-week sometime.

As a matter of comparison, my Windows 2000 box has no such vulnerability. The first time I went to Windows Update, I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine. Even if the FBI forces Verisign to issue an impostor certificate, it will be detected and thwarted.

Linux distributions need to band together and find a trusted individual who will be responsible for signing all packages and verifying that they do not contain backdoors. That is the only way to solve this issue. Personally, I nominate Eric Raymond, because of his widespread respect from the community and business leaders alike. Additionally, he is a staunch libertarian and would not cave to government pressure to insert backdoors into something that he has signed. I believe that by charging the distribution vendors a small fee per package, ESR can again achieve financial success for himself and his family.

This is a serious issue for Linux users and I believe it should have been addressed years ago. That said, now is not too late and definitely not too early. I look forward to seeing this feature in all future releases of the major Linux distributions.

df

Re:They can get us Linux users too

[ShaunC]

The first time I went to Windows Update, I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine.

So what happens if Microsoft allows Magic Lantern to be bundled inside the next .cab you get from windowsupdate.com - which, of course, is signed by Microsoft? You raised the point that ISPs tend to bend over, so you can't rule out the possibility that Microsoft might do the same.

Shaun

Re:They can get us Linux users too

[dbitter1]

A Slackware user myself, I am somewhat used to retrieving the source of my updates and compiling them myself. Although I don't check all of the PGP keys, most of the source I update regularly DOES have a digital signature.

Technically, Windows Update could insert something that removes the need for Microsoft's signatures and the Debian example would work just as well for our friends at M$.

As a similar matter of example: With W2K SP/2, M$ decided to disable the ability to disable Windows File Protection. A nice concept in some respects, but forces you to keep whatever files M$ thinks you should have... say... NetMeeting (or any other program you no longer get to uninstall.)

A bit of research, and a good-ole 2 bytes of NOP carefully inserted disables WFP. I was a bit shocked when I realized it did work! I boot W2K now, and although no WFP causes an event log message, the only way to tell my SFC.DLL is hacked is to test the signature manually! No "A Windows File Fails Integrity Checks" error message comes up. It could have just as well been the FBI's hack. Or, worse yet, the FBI could use WFP to ASSURE that you can't replace their files with a clean, non-recording version!...

Shiver

P.S. Try using SSH + SFTP. Beats the WUFTP problems and the tricky firewall rules FTP bringeth.

Re:They can get us Linux users too

[Russ+Steffen]

I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine. Even if the FBI forces Verisign to issue an impostor certificate, it will be detected and thwarted.

I do not think that means what I think you think it means.

You are wrong in a couple of ways: 1. What makes you think the FBI wouldn't be able to get a valid signature on Magic Lantern if they so desired? 2. You haven't actually denied non-properly signed software, you just made it so that properly signed software can be installed without you knowing about it. 3. The signature part is only checked by the windows installer service. You can put software on a machine without using the installer service. The faint sound of NIMDA and Code-Red poinding on my firewall is proof of that.

Re:They can get us Linux users too

[seifried]

Most major vendors (with the notable exception of Debian =( ) sign packages using GNuPG. You can check these signatures using rpm. There is no need to get Eric raymond to sign stuff (and he's supposed to read all the source code, then build all the packages on his own machines? excuse me?). I suggest reading the following two security advisories, which point out some mistakes that have been made, and one possible attack, but also largely corrected by vendors, and can be easily verified by users with minimal effort.

Devil in the details - why package signing matters

Red Hat 7.2 GnuPG signed RPM verification fails on distribution files

RPM PGP/GnuPG verification bug

Re:They can get us Linux users too

[iabervon]

Out of curiousity, was there any earthly reason for the box you were dealing with to be running an ftp daemon?

Re:They can get us Linux users too

[Tackhead]

> I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine. Even if the FBI forces Verisign to issue an impostor certificate, it will be detected and thwarted.

You, sir, are not merely a troll, but an expert troll, and I applaud you for a job well done! Thanks for the best laugh I've had this thread.

References: Slashdot article: Don't Trust Code Signed by 'Microsoft Corporation'

Microsoft bulletin detailing story of VeriSign issuing two Class 3 code-signing digital certificates to an individual fraudulently claiming to be a Microsoft employee: Erroneous VeriSign-Issued Digital Certificates Post Spoofing Hazard

Re:They can get us Linux users too

[wbattestilli]

In the case of Redhat at least, if you use up2date to update your system, each rpm is checked for a GPG signature.

Re:They can get us Linux users too

[Some+Dumbass...]

As a matter of comparison, my Windows 2000 box has no such vulnerability. The first time I went to Windows Update, I checked the box that said "always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by my machine. Even if the FBI forces Verisign to issue an impostor certificate, it will be detected and thwarted.

Why can't the FBI use Microsoft's real certificate? Why wouldn't Microsoft work with them? Are you so certain that "always trust content from Microsoft Corporation" is such a good idea?

Even then, the code which checks a newly-downloaded package against the MS certificate is on your computer, right? It could be modified by anything (say, a virus) which had the right permissions to do something different, like checking against a certificate on microsoft.fbi.com, correct? Perhaps this will be the next "I Love You" payload (or the last one).

Re:They can get us Linux users too

[mwalker]

Expert troll he is, but sadly a little too expert this time. Microsoft can issue false Verisign certificates till the cows come home, but if you only ever trust the one shipped with your computer (like the troll said) then no matter how many other packages signed by "Microsoft Corporation" show up at your computer, you will never install them. If you only trust that one certificate, then someone attempting to trojan your machine must get their trojan signed by the master Microsoft Verisign key. His argument hinges on the assertion that Microsoft would never sign a government trojan.

So basically, he was right, and you were wrong.

Wait, who's the troll again?

Re:They can get us Linux users too

[RelliK]

Well, leaving the windowsupdate sillyness aside for the moment, this post does raise an important question: why does Debian not sign debs? That would protect not only from magic lantern but also from a Debian mirror being rooted and corrupt debs intentionally uploaded?

Re:They can get us Linux users too

[JanneM]

True, but what to do when the next security vulnerability shows up - and the patch is not signed by your trusted certificate, but by another Microsoft certificate? Upgrade, and install a patch that could be trojaned; or refrain, and leave a vulnerability wide open.

/Janne

Re:They can get us Linux users too

[warpeightbot]

Despite this post being a monstrous troll, I think there is a good idea here...

Linux distributions need to band together and find a trusted individual who will be responsible for signing all packages and verifying that they do not contain backdoors.

I agree. I think there should be multiple independent verifiers across multiple nationalities, and you should be able to get your RPM's or debs from one country and your crypto checksums from another, and if they don't line up, you'll know something is rotten in Denmark (pun intentional). I nominate ESR, Alan Cox (that's Mister Cagey to you :), Marcelo Tosati, and I think we should have someone from continental Europe (somewhere with good privacy and crypto laws) and someone from Japan (or maybe South Korea if they have a good net connection)... the idea is that this would be done overnight by kicking off a shell script, so that these busy individuals wouldn't get bogged down with doing this, just that they're knowledgeable enough to see it done and well-known enough that there's a trust factor. I wouldn't be averse to more, but not too many more; if we let just any schmoe do it without the Internet equivalent of a background check, somebody's going to start feeding bogus data.... and of course the algorithm to generate the checksums should be GPL, and one should be able to use a known compiler source package, a known algorithm source package and a source rpm/deb and regenerate the compiler, the generator, and the package and duplicate the results.... sort of Linux From Scratch in miniature, just to check...

Of course, I wonder just how far the Fibbies will actually go in doing this. Most criminals are stupid. Hell, al Qaeda stood out like a sore thumb, it's just that most modern Americans have had their senses so dulled by television and government schools that nothing makes them paranoid anymore....

Sure, our hero slapped something together that dropped a back door in nothing flat. How many guys that smart are going to go work for what Uncle Sugar pays? How many of the ones that are smart enough actually know something about Linux?

And then there's the question of sheer manpower. Sure, they can tap your data, but who's going to go thru all that crap? They simply don't have THAT many Beowulf clusters....

If I was Ashcroft, I'd settle for netting all the Windows users, and worry about all those other OS's if and when I had a specific hard target. Once they hard-target you, you're a goner anyway; if they can't get what they want by giving you a Windows virus, they're just gonna come bust your door down. Meanwhile, I think most of us non-Windows users are relatively safe from any fishing expeditions the Fed might want to do on our hard drives.

And so it is that the umpteen zillion different distros of Linux becomes one of its advantages....

Besides, Red Hat has already let on that it's not going to play ball; remember that early release of a security patch (was it wu-ftpd?) that caused the flap a few weeks back? I think Bob Young and company had a lot of balls for doing that; it shows that his loyalty is to his users, and not to some calbal in some smoky chat room... I hope and pray and offer virgin sacrifices that it stays that way. Of course, there's also OpenBSD; Theo, cagey bastard that he is (and I *like* cagey bastards in these situations), isn't going to play cloak and dagger with *anyone*. I figure if anyone *tried* he'd raise six kinds of hell.

Bottom line, folks, there are more of us than there are of Them; they can't get to us all. And try and remember, if they do try to get to you, your first obligation is to escape and warn the rest of us. We have to hang together... lest we all hang separately.

Re:They can get us Linux users too

What's even worse:

It's an American idea, an American problem and based on American laws... and you are enforcing it on the rest of the world

What's left to us rest-of-the-world-westeners is to stop buying US software because otherwise we risk that our secrets will be sold to American businesses by the CIA/FBI gang... as it has happened before on numerous occassions where European companies (Siemens, for instance) suddenly lost deals in the middle east. Not enough that they eversdrop on our mobile phone communications (Echolon), now they bug our software...

Re:They can get us Linux users too

[Tony-A]

Anything that looks like it came from Microsoft, by any of Microsoft's certificates, will be blindly accepted. Personally, I never trust anything from Microsoft. "Always trust content from Microsoft Corporation" sounds too much like "Always trust the fox in the chickencoop".

Re:They can get us Linux users too

[fluido]

What if they tell them: you let us spy on windows users, and we will be as helpful as we can be in the field of antitrust and similar stuff.

While I believe that it is concretely possible to receive an infested .deb or even an infested kernel, I believe we linux users have two advantages: 1) we are more attentive and careful and 2) we know how to handle our systems.

Our system could become compromised, but there would most probably be little time before we found out. And really fixed our boxes.

Which is what attentive and careful windows user could also do if they had hold of the source.

So, the solution is, yes, to use an open OS, but also to be and remain attentive and careful. And to learn what we are doing and why. This is what information age boils to:

a) you don't use computers (and you probably live in some monastery in the mountains).

b) you use computers but you prefer to remain ignorant about what happens behind the hood. I would prefer to say: you are used by computers.

c) you understand computers, you use them for what they're worth, you don't let any corporation or government pull dirty tricks to you. You help family and friends and common people in doing so (provided they accept to shed off their laziness).

Windows is the lazy choice. Due to their laziness, people willingly "bend over." Microsoft does not need to "bend over:" they are slowly fusing with the US government, who will find it (already finds it?) extremely useful to keep an eye on lazy corporations and people.

The process will be very quiet.

Re:They can get us Linux users too

[muffen]

> Microsoft bulletin detailing story of VeriSign issuing two Class 3 code-signing digital certificates to an individual fraudulently claiming to be a Microsoft employee: Erroneous VeriSign-Issued Digital Certificates Post Spoofing Hazard

Actually, in this case it is safer to actually always trust Microsoft. The reason is simple, if you always trust Microsoft and you get an executable signed with the fraud verisign signature, you will be asked if you want to run this file signed by Microsoft corporation. Now you should know that you always trust Microsoft, and therefore you shouldn't be asked if you want to run a file signed by Msoft. However, if you don't always trust msoft, it won't surprise you when you're asked if you want to run a file signed by them.

Re:They can get us Linux users too

[onion2k]

I suppose that'll teach me for getting my rpms' from fbi.gov..

Re:They can get us Linux users too

[Lumpy]

so you proved to me that my switch to slackware increased my security even further as I dont have tools that will allow a download and then execute (up2date) the download.

Actually cince I switched back to slackware, I can now use source code again, as the ./configure;make;make install process doesn't break slackware as it does with redhat.

The problem with your attack is that they have to anticipate that I will want bigboobies_3.12_src.tar.gz within the time limits before they raid my house. sure they could profile me by watching my traffic and habits for a 30 day period. but then I am so fickle I doubt that they could get an accurate profile. The only thing I do regulary is read slashdot and freshmeat, I jump around on so many projects for work and personal use they would have to try and spoof about 30-40 different sourcecode packages in-order to get it on my machine, and then hope that I dont look throught the sourcecode.

but then most terrorists and violent criminals dont have the brain power to compile sourcecode let alone know what slackware is.

Re:They can get us Linux users too

[hawk]

>"Always trust content from Microsoft
>Corporation" sounds too much like "Always trust the fox in the
>chickencoop".

microsoft comes up a lot in my micro classes. I glanced at the screen one day as part of the class began laughing. At my sour glance at that message, most of the rest joined in . . .

hawk

Re:They can get us Linux users too

[ameoba]

The biggest problem I see is that the FBI's juridiction is limited to domestic work, and foreign criminal activity against the federal government. Once a copy of ML gets onto the system of a foreigner, they start walking on thin ice. If that foreigner is not involved in criminal activities dirrected against Americans of the USian Federal gov't they've stepped beyond their limits, and into the territory of the CIA.

Re:They can get us Linux users too

[alsta]

No, the NSA has domestic jurisdiction, while the CIA is mainly on foreign intelligence duty. The NSA is supposed to take care of National Security as the abbreviation implies. I may however, be misinformed.

Re:They can get us Linux users too

[H310iSe]

on this same thought line, has anyone else been over to cDc lately? They're offering to develop for the government the next generation of BackOrrifice to supplant Magic Lantern. Funny but some of their ideas are pretty good...

Paranoia

[Jebediah21]

I'm not worried about Magic Lantern. I'm worried about the stuff we haven't heard about yet. Really, if the FBI wants to spy on citizens (or criminals for that matter) there is no way they would let their ideas be known.

surprised?

[spacefem]

I'm can't believe they admitted it, talk about a smoking gun. Public opinion is just now turning towards questioning the "anti-terrorist" actions of our government. We could have figured out they were spying on us, I wonder what force inside made them be honest about it for once.

Ratted out by our ISPs - What legal recourse?

[Embedded+Geek]

While the FBI requires a court order to install its technology, formerly called "Carnivore," some service providers reportedly comply voluntarily...

Yes, I know this part is old news. Still, it makes me cringe whenever I see it. I assume there have been discussions of lawsuits/injunctions against ISPs to keep them from divulging this kind of stuff without a customer's consent. Could anyone post links to resources out there on these efforts for me? Thanks in advance.

Re:ITS (MOD PARENT UP)

[corky6921]

LOL... glad to see you are as irritated by that as I am. Thanks for the post.

AGAIN: If you can't replace "it's" with "it is" in the sentence you were using, use "its". "it is existence" would not be correct; therefore, the correct form of the word is "its".

I don't want to be a troll, but I'm really sick of seeing this kind of amateurish grammar on Slashdot, and I know I'm not the only one. Taco seems to have given up. He always uses "its", but that's not correct either! Remember the "it is" rule stated above, and you'll be correct every time.

P.S. "Better then" is not correct either. When comparing, use "than."

Not a great idea

[Zeinfeld]

The principle risk to an investigator using a probe like Magic Lantern is that it is more likely to tip off the target that they are under investigation than to provide useful intelligence.

Viruses spread because each time a user is infected they spread the infection to an average of more than one user. Most viruses die very quickly. Of the thousands launched each day only a handfull infect more than a few hundred sites. The probability of infecting a particular machine is actually quite low. It is going to take rather more effort to spread the trojan payload than the FBI expect.

Simply sending out random spam and hoping the target opens an executable that installs the trojan is not likely to work. A more likely means of succeeding is to attach the trojan to a downloaded executable.

A much easier solution with lower downside risk is simply to install a good old fashioned room mike or to use CRT radiation to snoop on the screen.

Re:Not a great idea

[whydna]

The "CRT radiation" snooping that the was referred to is commonly called "TEMPEST". The basic idea, which you seem to be aware of, is to detect the RF signals that are emitted from any electronic device.

There is a common misconception that the use of an LCD will prevent the ability of gov't agencies from detecting the signals. This is NOT true. LCDs DO infact emit electro-magnettic noise (just like LCDs,etc.) The difference is that LCDs are lower power and can't be easily read from as great a distance as a CRT. So in a since, you're correct, if "evil people" use LCDs, it'd be slightly more difficult to detect, but not impossible by ANY means!

Additionally, who cares if they use an LCD. All the other components are emitting EMI. The keyboard can be read; the disk access can be intercepted; the switch/hub in the room can be read, etc.

I've seen this technology demonstrated. A laptop, running on batteries, had it's LCD redisplayed on a CRT that was 40 feet away. Yeah, 40 feet isn't that far... but then again, if there's a bug in your room, you're up the creek, etc.

If you wanna see some products that have been secured against emitting EMI (and are thus significantly less vulnerable to TEMPEST attacks) check out http://www.hetrasecure.com/. Enjoy!

-Andy

Re:Not a great idea

[Zeinfeld]

The "CRT radiation" snooping that the was referred to is commonly called "TEMPEST".

TEMPEST is actually the hardening regime used to protect against RF emmission attacks. If I could remember how to spell it I would have used the term 'Van Eyke radiation'.

In addition to the noise generated by the display the display driver circuitry and the CPU itself generate noise. It is even possible to do some monitoring via the power supply - see Paul Kocher's power analysis attacks.

Comment removed

[account_deleted]

Comment removed based on user account deletion

BORRRRING!

[cscx]

You know, this Magic Lantern thing will sure make life boring. Whatever happened to the good ole days when the feds actually had to sneak in your house and plant a bug inside your coffeemaker (like in all those cool 80s action movies)? Man the feds are sure getting lazy.

Another reason to not use packages.

[SaDan]

Grab the source, check your code. Don't trust downloadable binaries any farther than you can throw your computer.

Re:Another reason to not use packages.

[isorox]

Grab the source, check your code. Don't trust downloadable binaries any farther than you can throw your computer.

Lets assume that you do, do you really have the time to check every line of code in wuftpd, or sendmail, or the kernel, or any other download?

All it would take is transparent rewrites from kernel.org to a new compromised kernel.

Can FTP affected by this?

Re:Why do people get riddled with fear?

[malxau]

I respectfully disagree.

It doesn't matter what you do, it matters what they can credibly claim you did. That's the threat. If the FBI were to accuse me in court of having written Goner, for instance, which judge is going to believe me? Any single techno-geek can't deny an allegation if it's strongly put.

The risk here is that the FBI gain more credibility to make accusations. That's it really. That credibility is a threat in itself.

Personally I don't have much to hide, because it's all posted on websites somewhere...

- Malx

Not an easy task

[dfeldman]

Installing a new program could take several extra hours if I were forced to download, audit, and compile the source.

The super-paranoid will be safe from Magic Lantern because they probably don't upgrade software often and they probably patch security holes themselves. But for the rest of us who want to *use* our computers, this is an enormous problem.

df

Oh goodie!

[loraksus]

So now the FBI will be able to catch terrorists even better!
What this country needs is more power and oversight by police agencies - East Germany had it right when "smell samples" were collected in jars so dogs could hunt down disenters.
Of course, this will mean nothing to civil rights because as we all know that the FBI is a trust worthy organization that would never do things that would jeopardize our civil rights by installing key loggers via internet virus (because that would not exactly be targeted eh?.

The FBI is also trust worthy, they would never, for example, abuse the justice system by, say using RICO (anti-organized crime) laws to punish pesky protesting environmentalists, or arbitrarily ask nearly all muslim students in the USA to come in for interviews (and chase them down if they don't come by) - or even threaten to reveal that a person charged with a crime is gay (and cause his suicide)

And they would never do anything like compile a list of "persons of interest" and maintain a dossier on each person in the USA that has been charged (not convicted) of a crime), as well as all immigrants in the USA (they did a mighty fine fucking job lately eh?)

Don't worry, the FBI will protect you in the future because of their new powers!

BTW, would it be in a anti-virus company's best interest to reveal that their software has programmed defects? I dunno. . .

Unacceptable.

[Millennium]

Look, guys. It's simple.

Get a warrant. I'll show you anything you want to see, but show me your goddamn warrant first. Until you have it, you have no right whatsoever to search my, or anyone else's computer. I don't care what your reason is. This is not acceptable.

Re:Unacceptable.

[loraksus]

Of course, a warrant doesn't necessairly mean that a person has to be notified (I believe the time limit was increased to 3 years), so theoretically, the fbi could get permission to magic lantern a person of interest and then "forget" about it, and continue gathering information well after the investigation is closed.

Re:Unacceptable.

[innocent_white_lamb]

Get a warrant. I'll show you anything you want to see,

that's listed in the warrant. Don't get a warrant to search my workshop and then decide to search my house while you're here.

Re:Unacceptable.

[ConsumedByTV]

Except seize your equipment, arrest you or anything they fucking want!

Why FBI came out with this news NOW

[webwench_72]

Why were they honest about it now? Simple: this is the best political climate the FBI could have asked for to reveal something like this.

Surveys show that most people, given the 9-11 attacks, are more than willing to trade freedom for security.

"A recent ABC/Post survey found two out of three people expressing willingness to surrender 'some of the liberties we have in this country to crack down on terrorism.' Cole attributes this not only to a heightened concern for safety, but to the fact that the majority are not generally affected--that is, it's not their relatives being detained and questioned." (Taking Liberties: Fear and the Constitution)

"At times like this, a democracy must balance its need to protect itself with the freedoms that define it. Last week's terrorist attacks have raised the debate pitting homeland defense against civil liberties to a level not seen since World War II." (For now, security trumps liberties)

"From the very first surveys after the World Trade Center and Pentagon attacks, most Americans told pollsters that the country would have to give up some rights to fight terrorism (79 percent in a CBS/New York Times poll in September). A Gallup survey conducted Nov. 26-27 found six in 10 Americans who said the Bush administration has been 'about right' in its limits on civil liberties, as opposed to 10 percent who said the administration had gone too far and 26 percent who think it hasn't gone far enough." (Public Supports Domestic Crackdown on Terror)

After all, if you're innocent, what do you have to worry about anyway? :grin:

Re:"Magic Lantern" Defense?

[thesolo]

Why do you need defense against "Magic Lantern" if you're not doing anything illegal?

I don't know if this is a Troll or not, but I'll bite.
This is NOT a valid argument. First off, think about what you said for a minute. It may come as a huge shock to you, but people who are not guilty are and have been arrested. And that won't be changing any time soon. Plain & simple, there is nothing written anywhere that says this will ONLY be used on criminals. All it would take is one person having a suspicion about you, and presto, they are trying to keylog your system. If you want to just let the FBI into your computer and allow them to monitor you, go right ahead, but I most certainly do not.

I could go on, but I won't. All I'm going to say is that this is a stepping stone, and if we don't try to resist it now, we may not have the option to do so in the future.

Re:"Magic Lantern" Defense?

[Maul]

You have a right to defend yourself against ILLEGAL searches, be it in your home, your car, or your computer system.

The problem is that we have a government that is becoming increasingly oppresive. All three branches of our government are basically for sale to the highest bidder. We have lawmakers and people in positions of power who don't really care about the Constitution.

The government has locked people away for nothing more than expressing opinions in the past. I don't want the FBI knocking down my door because they read an email I wrote saying that I disagree with John Ashcroft's latest violations of the Constitution.

Re:Hackers Beware

[tps12]

I'm not one for violating our freedoms however something like this may help in scaring would be virus creators, hackers and others problematic computer uses (ie. DDOS attackers). If it will help eliminate problems like that I'm all for it, even if my overall freedoms are curbed a little.

And rude people and dog owners... please, if you don't like your freedoms, then just pretend you're in prison. But don't volunteer away my rights. To me it sounds like you definitely are "one for violating our freedoms."

Re:Is FBI working together with the software compa

[FFFish]

"If MS intentionally and with clear thought..."

Footnote: in one of the proposed remedies against MS for its abuse of monopoly power, there was talk of opening the source for a bunch of their stuff... except for things that the government would choose to explicitly not allow open-sourcing.

One can readily see that as meaning the government gets to keep its backdoors and keyloggers and suchlike from prying eyes.

"Welcome to a Brave New World"

I wish more people would actually read Huxley's "Brave New World" before applying that phrase everytime government gets a little out of control.

Seriously, "Magic Lantern" and all the other privacy-invasive technologies used to snoop on private citizens are still a far cry away from the world of "Brave New World." After all, we still possess enough of our wits to question whether these steps are necessary, legal, and ethical. The folks in "Brave New World" didn't even go that far.

We are much closer to Orwell's "1984" then we are to "Brave New World." And I'm not sure which is the more frightening.

In 1984, the government had to force people to behave using the classic methods of tyranny. In Brave New World, the citizens were kept so damn happy that they would never question that the government didn't have their best interest in mind, regardless of what it did.

Remember: in 1984, our protagonist was someone from withen the society who began to realize what a living hell he was in and began to try to do something to better his condition. In brave new world, our protagonist was someone how came from outside of the society, having been raised on a "reservation". It was only because of this distance from the reality of the "Brave New World" society that he was able to see how awful it truly was.

Re:"Welcome to a Brave New World"

[mcarbone]

And anyway, the phrase originally comes from Shakespeare's The Tempest:

"Oh brave new world, that has such people in it."

Re:"Welcome to a Brave New World"

[Skinny+Rav]

Hmm... Good point, but not perfect. If you look around you'll notice that most people don't care about such things. As long as they get their soap operas, their cornflakes and their supermarkets they're as happy as people in "Brave New World".

And who protests? Geeks, living partialy in some abstract cyberspace, and various idealists like libertarians or people who still believe in American Democracy as some ideal being which exists and now is threatened by evil FBI, NSA or whatever. All these are also kind of outsiders.

So, I would say, we're somewhere in between: nobody's gonna use rats if you say that the goverment is evil, and most of the people are happy with their freedom shrinking, but still, it's just _most_ of the people, not everyone.

Rav

Re:"Welcome to a Brave New World"

[Nightpaw]

(That is, if "terrorism" was not just a threat fabricated and exploited in order to eliminate the rights of US citizens.)

By the Jews, right?

Re:"Welcome to a Brave New World"

[geekoid]

normally I don't reply to AC but I just want to say good job. Its nice to see some post about 1984 and Brave new world who has actually read them.

What I read

[Faux_Pseudo]

"We have a new software that does not exist yet but will give us the ability to infect a computer remotely"

With a remotely installed spy app they could remotely uninstall it. AKA no search warrant needed to get it on there in the first place because they can remove it any time they want causing a gapping hole in the 4th amendment (remember the Bill of Rights?). The other thing is how do they get this installed on a Linux system? The same binaries that work on win32 systems will not work natively on nix systems. Does this mean it could be the first Trojan to work across multiple OS's?

Re:"Magic Lantern" Defense?

[FFFish]

"It's FBI in your home, but then again, its better than terrorists in your mall."

Those who don't learn from history are bound to repeat it. Read up on the Reichstag. An evil man with a fondness for jackboots and genocide convinced people like you to think the way you're thinking. Inevitably, it all ends in tears.

Been there, done that

[dfeldman]

And 'rpm -U' doesn't say a single word when I install an unsigned package. By the time I could see that the package was unsigned (and potentially a copy of magiclantern-i386.rpm), it would be too late.

Distributions should reject packages that aren't signed with a trusted key by default. And make the user specify the --really-install-an-untrusted-package flag in order for the package manager to accept it.

df

Re:Been there, done that

[hawk]

> --really-install-an-untrusted-package flag

wow. Finally a flag that really *should* only exist with the --long-stupid-hard-to-use-but-looks-cool kind of flag.

So I stand corrected. It's not *all* flags that cannot be not specified with a single hyphen and character [1] that are wrong, sloppy, evil, and anti-unix, but all but one . . .

hawk

[1] excepting, of course, the case where you run out of characters

my fear...

[jeffy124]

I have no problem whatsoever of the FBI's using something like this, as long as it fits within the realms of how they already do investigations.

my fear is what if the FBI comes up empty after trying magic lantern against a target?

iow - install it, then fail to find or obtain what they're looking for. Will the warrants require removal of the lantern after a certain amount of time?

And what about repeated failures? Get into the computer, not find anything, back off, get another warrent, try again, still nothing. Would there be limits on how many attempts there are? Or a limit to the the number of searches within a given timeframe?

Tragedy

[Mad+Quacker]

Civil Disobedience has been the only real power The People hold. If the ability to do this is prevented it will be a great tragedy for America, and the begining of the end of the current Government. This is the _real_ need for Privacy, so you can do things which may not be wrong, but are illegal under current legislation. Illegal has no moral or ethical stance, it is an artificial creation.

What does this currently threaten? It is only through this avenue that I believe IP/Patent laws can or ever will be reformed. I certainly hope they do, so I don't have to explain to my grandchildren why knowledge and human creation built for thousands of years, their Birthright, the first creation of man that had no scarcity, enough for anyone willing to see, was caged and locked away only to be available to the richest, or at worst lost forever.

This is a direct attack to the defenses the people have against their rulers.

possibility of detection might exist

[jeffy124]

most AV tools monitor program execution for anomolis behavior by unknown virii. would magic lantern be able to avoid being detected by that?

also, what about personal firewall programs? I use Tiny Software's PF (yes, under Windows, sad isnt it) that checks the md5 of an executable before granting internet access. on top of that, it can allow you to block certain apps from making/accepting connections from various sites. for example I have it set to not allow Mozilla access to doubleclick and some other ad servers.

Here, two things exist: the lantern has to find a way around the md5 and also find a way around asking the user "PGP wants to connect to [fbi-ip-address], allow it? (y/n)" Getting through one or the other might prove difficult.

Yeah. Right ...

[Rosco+P.+Coltrane]

"Anti-virus software vendors said Monday they don't want to create a loophole in their security products to let the FBI or other government agencies use a virus to eavesdrop on the computer communications of suspected criminals."

And in 1968, the Hugues Glomar Explorer was looking for nodules on the pacific floor ...

Seriously though, how plausible do you think the following scenario is :

McAfee receptionist : Hello gentlemen, how can I direct you ?

Men in black : [showing their IDs] We work for the department of Homeland security. We need to speak to the CEO at once. You also are not to mention our visit to anyone by measure of national security.

MR : [picking up the phone] Mr. Sampath, important visitors for you.

Srivats Sampath : What can I do for you folks ?

MIB : Your company is under strict orders from the FBI and the department of Homeland security to provide appropriate backdoors in the software it produces. These backdoors are confidential-defense and must be revealed to the following persons only : [list of persons]. Any of you or your employees who have knowledge of these backdoors who reveals the existence of the backdoors will be detained and judged by a military court. Any question ?

SS : [going into brown alert] Yes yes Mister, anything you say. Have a good day Sir.

SS : [later, talking to the PR guy] John, write the following press annoucement and send it immediately to PRNewsWire : McAfee will NOT NEVER EVER UNDER ANY CIRCUMSTANCES NOT ON YOUR LIFE install any backdoor ever in our software. Never ever. Promise.

You think I'm paranoid ? Heck yes I am. The above is a bad fiction, and if nothing else, it certainly shows that I have no knowledge of who does what in the government, but my point is : none of these anti-viruses are open-source, how the hell are we supposed to know they're saying the truth ? especially nowaday, can you really trust anybody even remotely involved in computer security to tell you the truth ? Well, I'm taking the easy way out of that dilemma and I'm sticking to "alternative operating systems" that don't require proprietary anti-virus softwares in the first place, and that are known not to contain backdoors as long as the user administers the box properly.

Interesting question

[loraksus]

How about programming a "hardware abstraction layer" that would interact between the input and the system and the output.

The layer would only allow input to be passed to a specified program, and output would be passed only from that program - encryption would also be used between the input / system / output.

Sort of like an encrypted remote login, except that it would take place within / on the same machine, sorta a basterdized winnt.

It would be a shitload of programming methinks (i.e. a new shell, re-written (or heavily modified) programs) I dunno, I could be full of shit. However, if you would only be using the prog for the encryption of files / sensitive data . . . possibly send output to another device instead of thru the vid card..

Re:"Magic Lantern" Defense?

[Tackhead]

> I don't want the FBI knocking down my door because they read an email I wrote saying that I disagree with John Ashcroft's latest violations of the Constitution.

(Flippant answer: "Look, it's the Fourth Amendment we're getting rid of, not the First! Get yer Amendments straight, duuuh!" ;-)

But I think that deserves a serious answer, and since it's the Constitution you're so worried about, I'll have at it.

Ashcroft's actions are highly constitutional. He's fulfilling his obligations as part of the Executive Branch as specified in the Constitution, namely to use the powers granted to him by Congress to fulfil his mandate. Once something gets passed by the Legislative branch, it's law, and the Executive is obliged to work within the (ever-shifting confines of the) law until the Judicial branch (after due prodding) says it did otherwise.

So if you have a beef with the changes going on lately, it's with your Congresscritters for passing bad law.

But please, if you're gonna go Constitutional on us, don't trash the Executive for doing what the Constitution says it has to do -- namely doing the things your representatives in the Legislature told it to!

TRading freedom for security

[webwench_72]

There's a homily about how, when everyone is a lawbreaker, government has total control over everyone -- there will always be a pretext for detaining any person.

As another poster mentioned, it is quite likely that none of us would like to have all of our keystrokes made public -- some of our innermost thoughts go right through our keyboards, and Magic Lantern wouls apparently make no distinction between keystrokes that you intend to publish on the web, and those intended to stay private (financial info, personal letters, diaries, medical correspondence). If you think this sort of tapping would only occur under warrant, you aren't following the latest news.

Since 9/11, we already see our government detaining people for more extended periods of time even when the detaineee has not been accused of a crime, refusing to share the evidence against those detained, and the Dept of Justice is even, per AG Ashcroft, allowed to monitor conversations between people in custody and their lawyers. That last one applies to everyone, and is not limited to suspected illegal immigrants.

This is the top of a very slippery slope. If we give away rights to privacy in our homes and with our legal counsel, we will never get these rights back.

"A man who gives up some of his liberty for a little temporary safety deserves neither liberty nor safety." - Benjamin Franklin

"Whether or not legislation is truly moral is often a question of who has the power to define morality." -- Jerome Skolnick

Getting around Magic Lantern

[Supa+Mentat]

It seems to me that keeping Magic Lantern from working should be fairly easy for any terrorist who knows that much about it. He could have the computer that he writes and encrypts whatever it is he wants to send out disconnected from any network. Once the (let's say) email is written and encrypted he puts it on a disk goes over to another computer hooked up to the web and sends it off. Terrorist number two recieves it on one computer, puts it on a disk, loads it onto a disconnected computer, and decyphers the message using his key for the encryption scheme they used. This way, no computer that has the encryption on it (and thus the keystrokes) is hooked up to the internet and so can't get magic lantern. And if it somehow was infected, magic lantern would have no way of sending the info back to the FBI. Am I wrong? Shouldn't this work?

Re:Getting around Magic Lantern

[Robber+Baron]

I suggested something like this the last time this topic...I think it would work, and I can think of several other solutions without too much difficulty. How about using Drive Image to create CD-R Image disks of your O/S sans Magic Lantern and re-format and restore from the disks on a regular basis? What about other tried and tested methods of securing communications, such as one-time pads or pre-arranged codes? I think what the FBI is looking for is some sort of "Magic" fix that will relieve them of the need to do real police work. Sorry boys, you'll have to leave the donut shop sooner or later.

Re:Getting around Magic Lantern

[krokodil]

Once they planted trojan to your computer they could
do pretty much everything, not just keylogging. For instance they could encrypt your text in the manner it would be possible to decrypt it later.

Re:Getting around Magic Lantern

[innocent_white_lamb]

Don't forget that the "un-connected" computer should probably be a laptop, and said computer should be stored in a secure safe or other equally secure place when it is not in use or in the immediate possession of the owner.

Re:Getting around Magic Lantern

[Bert+Peers]

It seems to me that keeping Magic Lantern from working should be fairly easy for any terrorist who knows that much about it. [...] Once the (let's say) email is written and encrypted he puts it on a disk goes over to another computer hooked up to the web and sends it off.[...]

This would work. In fact, this is exactly the method used by amazon.com in their (very) early days to "secure" their database of credit card information. Credit card info was stored on a separate, non-networked computer. Every morning, the names of customers who had placed an order since the previous day, would be saved to a floppy disk which was then physically "carried" to the database PC to be matched up against their credit card info. That PC then generated a list (on paper) of billing requests to be sent off to Visa etc. The only way to modify the database (to add a new customer or update a credit number) was to actually call Amazon.com, and get someone on the phone to walk over to the database machine and enter some SQL woopla.

Re:Getting around Magic Lantern

[olla+podriga]

It will not work.

Guess why they want to make it a virus. Once it managed to get into one of your computers, it will find a way to infect anything you have contact with. Perhaps it puts a boot-sector virus on any disc you copy, inserts itself as macrovirus in the mail you just copied. Even your Laptop might need a software update some time and then you can't be sure the update is "clean".

For the way out: It could copy the data it collected or integrate it into its virus code, so that it can send your keys whenever it gets a internet (or whatever) connection from another system.

It generally sounds like a good idea, but can you be sure that your disconnected system is "clean" in the first place? Can you be sure that there will never be any possibilty for unwanted data to leak in or out your system? Normally you can't. You'll try very hard to do so, but all it takes is one little glitch (or someone else using your disconnected system) and "they" got you.

There is no defence against a sufficiently funded and determined attacker

My legal advice to you...

[Auckerman]

"That's like telling a cop that you refuse to give him access to your home to search it without a warrent. All you're doing is causing a bigger hassle for yourself."

You are under the misguided beleifs that:
1. Only guilty people exercise their right to privacy
2. Only guilty poeple have items seized as evidence upon a voluntary search.

Lets say for example, the FBI knocks on your door saying they suspect someone has been sending death threats to the president from your computer. They are mistaken. They want in to "look around" and walk out with your computer. Good luck getting it back, cause it will be in a "evidence" vault till you die, regardless of innocence or charges being sought. They could do that with ANY item in your house that MIGHT be tied to the crime and odds are you won't get it back, ever.

Reminds me of a county n Texas, all traffic violators were searched and anything that the searchers thought was "drug related" was seized. Well, a buisness man was speeding though said county, pulled over and lost 10-15K (I don't remember the exact figure) in cash he was taking to his son as a loan, all of which he could prove was legally earned. He ended up sueing, and getting little more than half of it back.

So, my legal advice to you (IANAL-Lawyer) is to NEVER ever for any reason let any cop search any of your property, unless they have a court approved warrent.

Whee.

[dswensen]

Once again the old adage proves true. If we fund fundamentalist, paramilitary, or resistance groups in far-off countries, they're "freedom fighters." If someone else funds them, they're "terrorists."

If someone puts a trojan or virus on your machine to spy on you, it's "cyberterrorism."

If the government puts a trojan or virus on your machine to spy on you, it's "domestic security."

Re:Whee.

[elefantstn]

If you think these are new problems, you were obviously born yesterday.

Re:Why do people get riddled with fear?

[Tackhead]

> The FBI is counting on social engineering to propogate this virus

Given the risks to the FBI of this virus being reverse-engineered, I would presume they would want it distributed to as few people as possible.

It's not a virus because it doesn't self-replicate. Nor is it a worm (because, not being self-replicating, once on a host, it doesn't infect other hosts through the 'net).

So ML, if released through email, will be targetted directly to the suspect.

If you're a drug kingpin, watch out for "Guido! I send you this plans for drug factory to have your advice!"

If you're a warez d00d, "D00DZ! Drink0rDie got fux0r3d last week! Run this c0d3 to DDOS the fux0rz!" might not be a good email to open.

But if you're Joe Slashdotter, you'll never see it, because the FBI won't send it to you. Not just 'cuz you haven't done anything to make yourself worth attacking, but because even if you have, they know you'll just disassemble it and embarass them.

Gotta run. (Someone sent me a mail saying "Hey, you were wrong, check out the original source code for ML right here in this self-extracting .exe!" ;-)

Re:Why do people get riddled with fear?

[hysterion]

which judge is going to believe me? Any single techno-geek can't deny an allegation if it's strongly put.

This is exactly why I chose to become a married techno-geek. Better safe than sorry!

Tell you what...

[shepd]

Send all your mail (and I mean all: cheques, kiss-ass late notice replies, love letters, porn orders, everything) in clear ziploc sandwich baggies for a while (at least 3 or 4 months).

If, after all that, you come back and say "It made no difference. I had nothing to hide" then I'll believe you. No cheating by self-censorship allowed.

'Till then I bet you're just like everyone else -- you have at least one skeleton in the closet.

Remember, the FBI are people too. What interests the mailman that's in those baggies interests an FBI agent just as much. The only difference is that the mailman is under special orders not to read your mail.

Open source certificates, ping times, etc?

[bildstorm]

First off, this shows how much we need to have some kind of open registry of certificates. I mean, does anyone really trust Verisign, especially now that they own NSI? I mean, talk about people willing to give up credibility in order to pursue monopoly.

Also, is there not a way in which we can set up some kind of distance authenticity verification? Or routing verification?

What if there was a service set up that allowed us to send out a request through an alternate random routing (for which we got back and traceroute list to verify) and set a codekey on the machine, and then when we connected to the machine, it would only connect if it had the codekey. Even if they spoofed the network connections and routing, then we wouldn't be able to connect, since we'd know that there was no codekey there. Granted, doesn't solve the problem, but it quickly says to me, time to get a new ISP who doesn't let the Feds run the whole deal.

Not scared of magic carnivores.....

[Darth_brooks]

Do not fear what they tell you they are doing. Fear what you are not being told.

Does anyone really think that Magic lantern, or carnivore, or any other media whore flavor of the week is a truely serious concern? Yes, there are possibilities for backdoors to fall "into the wrong hands" But just what do *you* stand to lose? A piece of your freedom? yeah, that is a legitimate concern, however, was that a freedom you really had?

Anyone who has had to deal with law enforcement with a computer-related incident loves nothing more than to howl about how woefully out of touch those in authority are. Then, when said groups make attempts at learning, the same folks go on half cocked screaming orwellian brave new world like lemmings.

the one argument that keeps coming up is "if you have nothing to hide why are you concerned?" Well, if you have nothing to hide, odds are you'll never have to deal with software like this in the first place. they still need a warrent, they still need a reason to target you. There's a reason search warrents aren't mentioned in 1984.....

Is there a signifcant risk to freedom at stake with recent legislation? There could be. Is there a dedicated group of individuals that want to run around screaming "brown-shirted nazi jackboot black helicopter Orwellian thought crime brave new thugs!" at the first mention of the FBI? Yeah. Any government agency concerned with the safety of the populace is going to end up on the wrong end of popular opinion anyway.......

Re:"Magic Lantern" Defense?

[ShaunC]

Why do you need defense against "Magic Lantern" if you're not doing anything illegal?

Why do people have curtains, blinds, or shutters on their windows if they aren't doing anything illegal? Because people like privacy. Privacy isn't illegal (yet).

Maybe I enjoy surfing porno websites. Maybe I work for a Fortune 100 company and have trade secrets on my computer. Maybe I'm secretly gay and that fact could be gleaned from my online habits. Or, hell, maybe I run the world's biggest cocaine trafficking ring over the internet. (Obligatory disclaimer, all of these situations are bogus.) It doesn't matter what I'm doing; without a warrant, the government has no more of a right to come in my house or my computer than a bum off the street.

The problem I see with Magic Lantern, vis a vis conventional searches, is that the potential for abuse is far too great. When the FBI raids a house, it's rather obvious. Maybe the person is at home, or the neighbors see it going down, etc. Makes it pretty difficult for them to just bust in any old house they want, without a warrant; and makes it pretty embarassing if they happen to screw up and raid the wrong house. This is (at least in my mind) a fairly good check and balance to ensure that the FBI isn't raiding houses on a whim.

What happens, though, if they bungle and put Magic Lantern on the wrong person's computer? It's a valid threat; if fucking bomb coordinates can be transposed, so can a suspect's IP address. What if Magic Lantern winds up on your computer or mine, even though we aren't doing anything illegal? There are no neighbors to see it happening, there is no embarassing story on CNN about the snafu, but before I know it, those corporate trade secrets on my computer are now in the government's hands. (IIRC, it was objection to exactly this type of risk that got France in a mess when they banned encryption.)

It's FBI in your home, but then again, its better than terrorists in your mall.

If there are terrorists at the mall, I at least have the choice to stay home and avoid them.

Shaun

What next?

[jhoffoss]

/me unplugs cable modem and cowers in the corner in fear.

How we can use DEFIANCE to PROTEST

[t0qer]

The one thing I take heavy issue with is the anti-virus companies decision to have the product that I paid to make sure unauthorized programs not run on my computer are letting this one in. To be honest, do I really need antivirus programs with all that I know now?

I have a bbiagent.net router that I routinely check on. Several times my friends have brought over M$ machines infected with viruses, I would see them trying to connect to the router on goofy ports, then look up what viruses use that port and take the right action.

What would be really nice is if the EFF or some similar organazation makes a blacklist of products infected with this crap. I don't think it would be too hard to detect, lots of smart people out of work with time on their hands now. More of us than the FBI, yeah coppers good luck!

I would not buy a product nor subscibe to a service that allows access unauthorized by me. The rest of /. should do the same.

What to do, what to do...

[doorbot.com]

One solution is as follows... make a clear, concise statement that companies will refuse to run virus scanning software at all as long as the FBI's "virus" is allowed to roam free and unchecked.

Then, watch as Melissa hits again and devistates the economy. Seem radical? Yes. But frankly, there comes a time when drastic steps need to be taken. Just think about how long it would take, in such a scenario, for the FBI to force the antivirus makers to update their software to clean things out... Short-sighted lawmakers may take away a citizen's freedom, but we still have the power to control what does and what doesn't happen in our government (well, with regard to the FBI).

Maybe an open source anti-virus tool for Windows is a better idea... as long as the FBI's targets are protected the software will be useless.

Re:What to do, what to do...

[mikethegeek]

Commercial antivirus companies have already bent over and prevented their products from showing COMMERCIAL spy-trojans on scan... (ie, the ones used to spy on employees)

What makes anyone think they won't do the same for the FBI? Simply put, they will.

The answer, of course, is free software. If we had a free software virus scanner/remover, that was completely open source, such tomfoolery would be impossible (so long as you knew how to read the code, or could get someone to do it for you, not that hard to do in the Linux community)

Open source=accountability.

This is why I'm concerned that this sort of thing will end up playing into Microsoft's hands, in getting an increasingly paranoid government, that is absolutely determined to outgun it's citizens in every aspect of life, to get free software made illegal..

Imagine it being ILLEGAL to posess a true open source operating system because it would be the legal equivalent of having a private nuclear bomb.

This is not so farfetched, as a networked computer that the government cannot monitor nor break into is as great a threat to our ever paranoid government AS a nuclear bomb in the hands of a private citizen. The precedent proof is in the fact that the government has made the ownership of weapons that would allow resistance to it illegal (had the same been true in 1776 the revolution would never have suceeded).

I think all who value freedom should oppose a government from being able to impose restrictions on citizens that it will never place on itself, IE, the fact that the GOVERNMENT is allowed to have strong encryption, unhackable (or so they think) computers, networks, etc, to hide information, but that private citizens should not.

How many crimes comitted by our government are hidden in encrypted files on government computers that will never EVER be discovered? Why should we trust a "justice system" that in the past decade has massacred more people without cause (Waco, Ruby Ridge) than at any point since the civil war?

Unlike the days of Woodward and Bernstein, it's likely our government's worst crimes aren't written on paper to find, they are stored encrypted in a computer somewhere. Which means, unless the citizens are allowed to install trojans to go on "fishing" expeditions through our government computers, we will never know.

But, as our government is saying to us, I'll say to them "if you've done nothing wrong, you have NOTHING to fear, right?"

In this, the government is non-partisan. Janet Reno presided over those aforementioned massacres, and John Ashcroft is pushing the current horror. All the more reason to abandon our one-party Demopublicans and vote Libertarian.

Can't connect to one site!

[ImaLamer]

Being board I've tried to click on all the news links provided in your story.

Unfortunatly I can't find anything - in every browser [IE, Mozilla and Netscape] I get a "host not found" error...

... weird.

But at least now when I say that they [Big Brother] are watching us I have proof and people won't say I'm crazy.

Think for a minute

[Stickerboy]

Magic Lantern is nothing new.

It's the networked computer-version of a phone wiretap.

In both cases, permission to use either information-collecting method has to be authorized first by a court-order. From the article [news.excite.com]:

When asked if Magic Lantern would require a court order for the FBI to use it, as existing keystroke logger technology does, Bresson said: "Like all technology projects or tools deployed by the FBI it would be used pursuant to the appropriate legal process."

...which is legalspeak for "Yeah, as long as wiretaps require court orders, so does Magic Lantern."

I can't believe the number of posts comparing the introduction of Magic Lantern to a civil liberties meltdown getting +1 Insightfuls. They're about as insightful as the patriotic idiots who'd allow government agencies unchecked freedom to invade private citizens' lives in the name of antiterrorism.

The citizens of the US have a responsibility to watch over the actions of its government, to serve as a check against the growth of abuse of power. Melodramatic statements like "Welcome to a Brave New World!" and knee-jerk antigovernment statements like "Trust the FBI to abuse this the minute they get it" merely serve to marginalize and decrease the credibility of those that speak out against government agencies becoming too unfettered.

Am I afraid that Magic Lantern may someday be abused? Well, yeah, but I'm a lot more frightened by the potential abuse of "old-fashioned" things like the aforementioned wiretaps and unwarranted searches and seizures than I am of the FBI emailing me an easily detectable and easily deletable script or executable virus. Magic Lantern doesn't strike me as a shadowy menace so much as the amateurish nature of a government agency still in the first steps of dealing with a wired world.

The key to preventing abuse by the FBI and other agencies is not by depriving it of tools to work with, such as wiretaps or Magic Lantern, but to ensure that adequate oversight exists and continues to do so in the future. Spending time and energy protecting and advocating the transparency and accountability of the FBI is infinitely more effective, and more likely to work, than seeking to deprive the FBI of intelligence-gathering tools to work with.

Re:Think for a minute

[Catiline]

Here's the one counterargument for what you said:

Power corrupts. Absolute power corrupts absolutly.

And now let me expound upon that.

I have a friend-of-a-friend story: a friend of mine is a lawer who defended a client accused of a computer crime- namely, running p0rn and selling 'services' on the 'net. When the police (Atlanta, GA- local mind you) raided his house, they took everything. Incuding, for no reason whatsoever, his pickup truck. And then auctioned said truck off. Before he was proven guilty in a court of law- before, even, he went to court. In total defiance of the constitutional protections against unreasonable search and seizure. And this was doubly unreasonable as a) they had no reason to sieze his vehicle and b) the had no right to sell it before his guilt was determined.

So if you want to say something sensible and levelheaded like "ensure that adequate oversight exists", keep in mind that the overseer needs to know about the issures involved. And when they don't, any amount of oversight won't do anything to stem corruption. Because I'm sure as sure can be that the goverment has sharp oversight over the local police departments, but yet that didn't stop this from happening. I don't even want to think about what the police really do in cases of phone tapping.

Re:Think for a minute

[e_lehman]

When asked if Magic Lantern would require a court order for the FBI to use it, as existing keystroke logger technology does, Bresson said: "Like all technology projects or tools deployed by the FBI it would be used pursuant to the appropriate legal process."

...which is legalspeak for "Yeah, as long as wiretaps require court orders, so does Magic Lantern."

Baloney. If that's what he meant, he would have said, "Yes". In fact, this is doubletalk for "no". The FBI wants to do this with only a warrant (easily obtained) instead of by seeking phone-tapping permission (much harder).

Possiable solution (peer-to-peer key checking)

[macmouse]

Why hasn't anyone thought of this before?..

Its a bit insane but think about it..
This would ideally be applied to jxtra (www.jxta.org) - suns peer to peer protcal layor (different things can be put ontop, like a web browser, a IM message,file sharing, etc).

Have the a key/checksum on the file itself. Then to authenticate, connect to the p2p network. Each host would have their own UNIQUE key. The longer a machine is up the more trust. Nearby machines get the key as well.

So, to authenticate the program goes and finds a bunch of random machines, asks what their keys are and what the key is for the package file. Then, you check the machines keys with other machines to make sure they can be "trusted". This would be a cross between the gpg signing "web" and p2p networking.

So the machines that have been on longer can be trusted more. This is to prevent a machine at the isp to generate new keys on the spot (or use the same one over and over again). It would have to be around for a resonable amount of time (24 hours?).

So each time you check package x, at random a series of "hosts" are asked what their checksums are for package x. For the paranoid, could add some route/different isp checking as well. Let say it asks 20 machines. If all match, then odds are pretty good its correct. Also, each host's key would have to be unique and "trusted". Then you can go out onto 100's (even more?) of hosts to check.

True, (in theory) it would be possiable to fiter for those specific requests, generate a seperate key for a bunch of ip's RANDOMLY and have them authenticate with each other, but that would be quite difficult. In order to do that, they would essentially have your connection severed from the net, with no direct path and on a "virtual" network, in which case your screwed anyway.

It isn't the most efficent way, but probably about as secure as you could get. Well, without being the govenment itself ^_^.

Re:Possiable solution (peer-to-peer key checking)

[Graymalkin]

So a file gets heavily validated. Big fucking deal. That has nothing to fucking do with a keylogger on your system watching out for your damn key password. I can go ahead and encrypt shit with 2^bajillion bit encryption but if somebody is watching me type my password over my shoulder it isn't going to do much good. Especially if it's a trojan on my system that watches me type in my private key password and uploads a copy of my private keys to somebody.

Having the checksum on the file itself is a bit ridiculous because if there's a trojan filtering stuff between me and the rest of the network it can easily strip the checksum off the file, change it, then add its own checksum. It will validate but it won't have the original checksum that you thought it had. No matter where it propogates it'll have the fucked up checksum. You've also got to be able to handle the event of half of the machines don't validate your file. What then? Half of the systems say it works and half don't, who do you trust then? Say with that system I write a quickly propogating virus or trojan that makes checksum requests fail. Who then do you believe when you're authenticating your file?

Read it online

[kimihia]

It isn't hard to read. It is available online for free reading. Have a look. I took the time out to read it - and now I know what the parent to this post is on about.

An analogy

[Stickerboy]

Arguing that the FBI should be unable to develop Magic Lantern is almost exactly the same as law enforcement agencies arguing that private citizens should not be allowed to access strong encryption.

In both cases:

• the argument hinges on the assumption that the party in question will abuse the technology (which is to some extent true, criminals will abuse encryption technology to hide evidence, just as there will be at least one or two cases of the FBI overstepping its bounds with Magic Lantern).
  
  
• the technology for [encryption, Magic Lantern] exists, and is widely available, so trying to outlaw its existence and use by the [criminals, FBI] is pretty futile.
  
  

Writing letters to your representatives and starting petitions about strengthening the oversight mechanisms over the FBI makes a lot more sense, just like the FBI using other methods to gather intelligence on criminals makes more sense than banning strong encryption.

Re:An analogy

[GigsVT]

The bill of rights enumerates some of the main rights that are retained by the people.

It grants no rights to government. There is a reason for that. Think about it.

Yes, it is a double standard, but that is the way our founding fathers made it, because they knew it was necessary.

Re:An analogy

[aozilla]

I agree with you for the most part, but there are two major differences:

1. Using encryption is a passive activity. No one else is affected by it. Breaking into someone's computer and installing a keylogger is not a passive activity. This is why I find one morally neutral, and the other one morally wrong.
2. Outlawing the use of these systems may be somewhat futile in that they will still be used by the FBI, but it is not completely futile because this information will not be able to be used as evidence in a court of law.
3. If I sue the government for breaking into my computer, I get a large amount of money. If the government sues someone for using encryption, society gets to pay for one more person's room and board in jail.

Entering passwords without the keyboard

[Katravax]

This post will probably never be seen since I'm a latecomer to the conversation, but I knew a fellow a few years back that would never be affected by a keylogger. His method would work for bypassing any keylogger, but would probably be most useful to touch-typists as a way to not use the keyboard for entering passwords.

He claimed he was a terrible typist. I couldn't tell though, because he didn't touch the keyboard. He would literally copy and paste every character he entered. While this would be tedious for all typing, it strikes me that would be a good way to enter passwords if you're concerned about a keylogger.

That generally wouldn't work for whole-system logins, but it would work for encrypted files and other "lesser" logins. Copy a letter from this page, a letter from that, paste it in your password box, and I doubt seriously even a macro recorder could follow what you're doing.

Re:Entering passwords without the keyboard

[Katravax]

You're right. That hadn't occurred to me. I suppose a really good system monitor could follow each mouse movement, each app launch, etc, and know in which part of which field which characters were pasted. I have macro software that does a relatively good job of playing back most of this, though it's not perfect. If whoever writes the software is good enough, I guess there really isn't any hiding.

Re:Entering passwords without the keyboard

[Katravax]

I agree, it's not perfect, but it would at least stump a keylogger. Even things like backing up with the mouse and hitting delete on a different character rather than the one a strict log of keystrokes would follow would at least help. I guess it's security through obscurity, but there may not be much more defense, if the software was well-written and thorough.

Re:Congratulations.

[SilentChris]

I can't believe people waste mod points on you.

I'm violated and I can't fight back.

[Boiling_point_]

I've been browsing at +2 so sorry if someone else has mentioned this already.

I am Australian. I use American antivirus software. There is no indication that Symantec or McAfee are going to protect their Australian consumers from the American government.

Most of this discussion has centred on the FBI invading domestic computers. I am more concerned, not personally, but ethically as a global citizen, with the CIA or another US body using this technique to invade my country's rights.

I have no recompense, short of diplomatic channels, or through whatever (uberexpensive) international anti-espionage laws , at stopping this.

Magic Lantern is a very blunt intelligence instrument. Right now (and the irony is NOT lost on me) all I have to be thankful for is that my sychophantic Prime Minister has been licking Dubwya's scrotum so much lately that Australians are probably far down the list of suitable intelligence targets.

Signatures on Debian packages

[Overfiend]

With all of that in mind, I decided to find out just how vulnerable I was. I set up a stock Debian 2.2r3 box... I went to the Debian box and typed 'apt-get update ; apt-get upgrade'. After a few routine prompts, none of which triggered security alerts, the box was rooted by my "custom" package.

Progeny Linux Systems wrote, tested, deployed, and submitted as patches to Debian, code to implement cryptographic package signatures. Some of the patches now exist in dpkg CVS, but Wichert Akkerman rejected others. Part of it had to do with a command that would prompt you (package maintainer) for your GPG passphrase and cache it so that it could be applied to each binary package (consider how tedious it would be to re-type the passphrase for each binary package in a package like XFree86, which has dozens; moreover, you're no *more* susceptible to a keystroke logger if the passphrase is cached). Anyway, this tool was written in C for security (locked memory pages), but Wichert wanted a version in Python instead, so he never accepted the code.

I never have quite figured that one out.

Anyway, since Progeny ceased development on its own distribution, not much work has been done on our signed package implementation. The code has already been publicly released; maybe it's time for people in the Debian community to take up the fight?

The specification, authored jointly by Ben Collins and John Goerzen, allows for multiple signatures per package. I wrote a policy administration tool called apt-checksigs that would let the user configure the strictness of signature checking on a per-repository basis.

Is anyone interested in this stuff?

Re:Why do people get riddled with fear?

First they came for the Communists, but I didn't say anything because I wasn't a Communist.
Then They came for the Trade Unionists, but I didn't say anything because I wasn't a Trade Unionist.
Then they came for the Jews, But I didn't say anything because I wasn't a Jew.
Then They came for the Catholics, but I didn' say anything because I wasn't Catholic.
Then they came for me, and nobody spoke because nobody was left.
Reverend Martin Niemoller

Re:Never claimed it would be easy.

[kinkie]

Erm... distributor-supplied RPMS are usually gpg-signed. So it's only up to the user to check that signature, and thus it's just a matter of cluefulness and a bit of crypto knowledge (i.e. make sure the publisher's public key is really the publisher's).
Dunno about .debs, but I'd find it strange if they weren't similarly armoured..

Re:Anti-virus software

[muffen]

> I thought that the antivirus companies had AGREED to NOT make their programs detect "Magic Latern"???

No! You, like so many other people, didn't read the quotes well enough. To start with, everything was hypothetical (and that was made clear in the articles). All AV vendors were saying that they had not been contacted by anyone from the FBI, and the all also said that they did not know if there was a thing like Magic Lantern.

Now, some people in Network Associates and Symantec said that if the FBI gave them a copy of Magic Lantern, then they would avoid detecting it (I'm asuming using an MD5 sum or something similar so hacked versions won't escape detection).

Later, "higher" people in the same companies said that they WOULD detect magic lantern.
If we asume that the internal communication issue has been resolved and this has been discussed internally, the latter statements are probably the ones that will be followed.

End conclusion, AV programs WILL detect Magic Lanter if they get their hands on it.

Re:What about your compiler?

[_xen]

While that post was sarcastic, it brings up another question: do you trust your compiler?

Not until I've finished checking every last line of code in the compiler source ... and in the source of the one I use to compile that ... and ... :o

Re:Defeating Magic Lantern

[JimPooley]

Step 8. Throw away your computers, rip out your phone lines, and communicate using messages written in hand on paper, carried by pigeons.

The FBI may then employ Dastardly and Muttley's Vulture Squadron, but to no avail as there is no recorded evidence of them ever catching the pigeon...!

Step 9. Stop being so paranoid and thinking that anyone really gives a shit what you do...

The funny thing is...

[Chasing+Amy]

The funny thing is, Congress didn't tell Janet "the Waco wacko" Reno to create and deploy Carnivore and to authorize development of Magic Lantern. And Congress didn't tell John "junior Fuhrer" Ashcroft to continue deploying the former and developing the latter.

We know this because even the Congressional leadership didn't know about them, as evidenced by the hearings certain privacy-conscious sons of liberty among them demanded once Carnivore became known. The fact is the executive branch does most of what it does without any Congressional approval at all. Or what would you call President Bush's fiat about using military tribunals, an order which the Legislative branch did not authorize and, though most support it, almost all complain that they weren't even consulted.

You're quite naive if you believe this nation still operates as the Constitution intended it to. Instead of the Legislative branch setting things into motion through passing laws, the Executive branch carrying those laws out, and the Judicial branch overturning laws when necessary and interpreting them in just ways, it now works like this:

The Executive branch sets things into motion by executive order and abuse of over-broadened discretion; the Legislative branch quite rarely then puts the Executive back in its place by passing laws to curb its abuses, but much more often is too busy setting other abuses into motion through its own powers, such as CDA, COPA, DMCA, SSSCA, etc., which generally serve to magnify and reinforce the abuses of the Executive branch; meanwhile the Judicial branch occasionally slaps down a particular abusive law or executive practice only to be largely ignored and "worked around" by those other two branches who just keep hawking the same old abuses of liberty under new bills of sale, ceaselessly, since the actions of the Judicial have no bearing at all on what the Legislative and Executive branches have the power to do--write the same policy up into different words and all of a sudden it's a new law or executive order, which has to be nullified by a Court again through the same long and painful process, even though it's essentially the same abuse. Not that the Judicial branch can be trusted to defend liberty much better than the other two, though--cf. the insane decision upholding anti-sodomy laws by the High Court in *Bowers v. Hardwick*, which boils down to "your right to privacy doesn't include the right to go against mainstream moral teachings." Read the text of the decision--it actually uses the word "morality," as if the Judicial branch is there to enforce subjective Christian moral concepts rather than invoke objective attempts at justice.

To put it simply, the FBI has a Congressional mandate to arrest people for breaking laws, but it does not have a Congressional mandate to do whatever it wants and invent any methods of snooping it wants while investigating people it desires to arrest. The unfortunate part is that the Legislative branch is too busy violating our other rights and taking corporate perks to ever use its power to restrain the FBI by law, while the Judicial branch is so slow and addlepated that multitudes of people will have the FBI's Orwellian thoughtcrime-control toys unleashed on them before it ever decides to uphold or invalidate these invasions. Not that we can trust it to make the right decision anyway, considering that it won't even let me lick my adult and consenting wife or girlfriend's pussy in private.
Thomas Jefferson was right, my friends--"An elective despotism was not the government we fought for."

Re:The funny thing is...

[Tackhead]

> Or what would you call President Bush's fiat about using military tribunals,

Since you asked, something that's pretty routine during times of war and you're dealing with unlawful combatants.

Everyone who is accused has a lawyer. Everyone will be entitled to a trial that is full and fair. If it is not full and fair, civil courts will overturn the conviction. The Supreme Court has asserted its supreme authority since the Jeffersonian days of Marbury v. Madison to review the decisions of lower courts and the constitutionality of government edicts.

Re:The funny thing is...

[Chasing+Amy]

> something that's pretty routine during times of war

Ah, but whether you want to consider it "routine" during "wartime" or not, has nothing to do at all with what it was brought up to demonstrate. The poster above stated that the executive branch only puts into practice what the legislative branch tells it to do. I gave a very direct and very recent example of the executive branch doing something very major (suspending Constitutional rights is always major--and whether you like it or not, even non-citizens have them according to the Supremes), without Congress authorizing it in any way, and which caused Congress to complain that it should have beenh consulted prior to the executive branch's little excursion into imposing executive order over duly passed law.

The example was given to demonstrate that very specific point, not to argue that we shouldn't have the tribunals. Frankly, I don't care since I don't believe full Constitutional protections should apply to non-citizens in the first place, and the executive fiat only applies to non-citizens. Of course, Carnivore and Magic Lantern themselves are evidence that the executive branch doesn't merely do what Congress tells it to do. Congress never authorized these programs; the FBI spent our tax dollars developing malware all on its own decisions.

As for this being a time of war, it isn't. Congress is too lazy and inept to even pass a real declaration of war, which in effect makes this a police action not unlike our involvment in Vietnam. We may call it a war, but technically speaking it isn't, since the procedurs for declaring war are very well established in our system and we haven't even attempted to follow them. Sheer legislative laziness and sloth. I was sorely disappointed that even after being attacked so far below the belt, our Congress still couldn't get off its pampered and corrupt collective ass to pass a simple declaration of war.

And as for "unlawful combatants," I hate to say this since Al Quaeda and the the Taliban disgust me so, but there's really no such thing. "Laws of war" and "international law" are modern contrivances with no historical standing, which ultimately stand in the way of progress and peace and stability in the long term. "Total war" is the correct concept, a concept which by the way was quite well expressed by the actions of the North during the Civil War in the U.S.--or as I like to call it, The War of Northern Aggression. ;-) The only way to ensure long-term peace and stability is to solve your problems through quick, total, no-holds-barred military action which de-fangs your enemy entirely. The U.S. is one nation today solely because our forefather suffered through a great and horrible war which decided all issues quickly and forever.

By way of contrast, all our international problems of today can be attributed quite justly to a globalist dove mentality, in which peace is to be maintained at almost any cost and "international laws" have to be respected--with no regard to the devastating long-term consequences of not allowing regions to solve their problems decisively and get past it.

The former Yugoslavia is the archetypal example. For a thousand years tension between the native Orthodox peoples and the Muslims who came in as a by-product of conquest had been present, resulting in continual hostilities that were only kept at bay by one totalitarian regime after another--from the Muslim empires which originally practically enslaved the Serbs, to the Austro-Hungarian monarchy, to subjugation as a Soviet satellite state. Hostilities still ran deep and flared up--such as when a certain Arch-Duke was assassinated, culminating in World War I thanks to the alliance system--but all-out inter-tribal warfare was only averted by the presence of strong repressive governments. The moment those repressive forces disappeared, the thousand-year hostilities erupted into outright warfare. Instead of letting the natural course of warfare play itself out, allowing one group to consolidate its power over a given region while the other group retreats into another, resultng in a stable set of nation-states to replace tribal enclaves, the "international community" of goody-goodies had to step in and demand that everyone stop having a war. Our excuse was that Serbs were committing genocide, but in reality the Bosnians had committed equally bloody atrocities and the Serbs just happened to be the ones winning when we stuck our noses in.

The result is that, thanks to our "rules of war" and "international laws," the entire area is still just as much of a powder-keg of enmity as it was when the Black Hand was terrorizing people in the early part of the last century. Those ethnic groups will never live together peacefully, and the only reason they approximate it now is that U.N. stormtroopers have taken the place of Soviet dictatorship in providing an oppressive influence. The minute they get the chance, hostilities will arise again, and again, and again, and in the long run far more people will be killed in the hostilities than if the first war had just been allowed to play out. If it had, each ethnic group would have had a nearly-unmixed and therefore hostility-free zone in which to found a real nation, and long-term stability and balance would have come to the region at last.

The same sort of unholy internationalization is responsible for the terrorism that originates from the Middle East today. Israel has been fighting for a stalemate for the last forty years. They could have banished Palestinians from their territories decades ago if a normal war had taken place instead of one of these silly let's-follow-International-Law affairs. The result would have been that Israel could have established secure borders 20 years ago, the banished Palestinians would have become mostly-satisfies Egyptians and Iraqis and Iranians, etc., by now, and tensions in the area would be in a subsiding phase with Muslim neighbors being forced to accept Israel's existence. What keeps them from doing that, what put them on their quest to drive the Israelis out, is that their fellow-Muslims the Palestinians are within Israel's borders and as long as that's the case there will be hostility. If a real war had been conducted, 20 or 30 years of stable Israeli borders without any fellow Muslims being oppressed inside them would have gained a measure of grudging acceptance by its neighbors, as opposed to the Jihad to push Israel into the sea for oppressing their Muslim brethren.

A dirty little secret is that we did precisely the ame thing to several small ethnic groups right after World War II. To ensure long-term stability for Europe, we shuffled ethnic groups around by the trainload, until we had all the lines drawn in all the right places so that only people who could reasonably get along were grouped together under one flag. This is seldom taught today unless you take upper-level classes at university on the history of the period, probably because it would offend the delicate sensibilities of our U.N.-uber-alles culture. We don't want to admit that total war resulting in the displacement of ethnic groups to other areas is the only way to ensure long-term peace. But history proves that it is. The only time total war has failed is when the unnatural modern "international law" notion of war reparations was introduced, against Germany after World War I. Before that, losers just gave up a big chunk of land and that was the end of it. Reparations and all that touchy-feely stuff leads, at the risk of someone yelling "Godwin's Law!," to fascist and Nazist backlashes and worse conflicts than before.

So no, I have no problem with tribunals. But I do have a problem with hiding the reason for their existence behind silly and meaningless phrases like "unlawful combatants" instead of just being honest anhd saying "they aren't my citizens, so I'm going to fry the bastards as quickly as possible."

"O brave new world...

[CdotZinger]

...that has such people in't!" --Shakespeare

In case you couldn't tell, he was being sarcastic.

Huxley's book derives its title from a scene in The Tempest, in which Miranda, upon meeting a bunch of royal bad guys--whom she naively perceives as regal, not as the bunch of usurping, murderous scum they really are under their shiny hats--says "O wonder! How many goodly creatures are there here! How beauteous mankind is! O brave new world that has such people in't!" to which Prospero--sad cynic, curmudgeonly nihilist, all-around smarty-pants, exiled in a world of criminal dipshits--says "'Tis new to thee."

Not an inappropriate sentiment, in this case.

But of course you knew that.

How does this affect non-us users?

[BeyondALL]

If the Antivirus software does not stop this "virus" they won't in other countries as well... Is this another "USA is the world police" thingy?

Foreign troubles

[the+grace+of+R'hllor]

Exactly what I'm moderately worried about. Why should the US FBI be able to check my computer, just because I use a (likely) American (otherwise British) version of Windows on my PC?

Can I sue the US Government for privacy infractions and computer crimes if I find this program on my PC? Can my government sue the US Government for the same?

all I have to be thankful for is that my sychophantic Prime Minister has been licking Dubwya's scrotum so much lately that Australians are probably far down the list of suitable intelligence targets.

Don't worry, noone will ever accuse Australians of having any intelligence to target.

*rimshot*

I don't really see the problem with the AV vendors

[ymgve]

I don't really see the problem with the AV vendors overlooking ML. No, I'm not mad - bear with me for a moment:

First - think about how AV software works. It usually scans a file when it's accesed for certain known patterns - the virus signatures. Every virus/trojan/worm have their more or less unique signature which is used to identify it. So, when AV vendors say they won't detect it they software is not deliberately letting ML through - the software just will not have a signature for ML, and therefore it won't be recognized as a trojan.

This is not a hole.

It's just how antivirus software works - looking for known malware patterns.
Now, if I were to make my own personal Magic Lantern, I could theoretically modify FBIs software, or write my own. They will both be equally undetectable. Now, when certain AV vendors say the won't look for ML it is in fact good - because they are open about it. You KNOW their software won't detect it, and if you feel threatened by it you are free to change vendor and add in additional layers of paranoia (Firewalls, IDS, tripwire).
If we are going to hate AV vendors for something, we could just as well blame them for not including anti-spyware in their signature files. They have overlooked this specific kind of malware for years, and not many have raised their voices about it.

I'm more scared of the methods they intend to infect their targets - pushing ISPs into modifying data as it arrives at the victim's computer is just plain scary.

Then again, it's FBI we're talking about. For the most part they play by the rules. And if you're really so scared about Magic Lantern, you should be scared about phone wiretaps and Tempest too. They are all equally privacy-invading technologies, but very few of us encrypt our telephone calls or install lead-walls to protect our privacy.

I'm not saying that Magic Lantern is a good thing (it's not), but the AV vendors are not trying to make a gaping hole in you computer, and shouldn't be accused of such things.

possible solution

[mattr]

Have an antivirus company move a large part of its assets into banks in one or more countries other than its home country.

Give a lawyer in each country bank account number and legal duty to withdraw all the money when it has been proven that that company has been compromised. The lawyer must open a new bank account for a competitor who has never been compromised.

Something tells me we will end up pretty quickly with a well-funded open source antivirus company!

Mod parent up (multiple-signed checksum repository

[JPMH]

Sounds like a good idea to me.

Many redundant copies, each signed by a different trusted 'good guy', for each checksum in the repository.

At least the FBI would have to work that much harder before it could get all the signers nobbled (or trojaned)...

((Of course, we would still have to obtain trusted copies of the signers' public keys -- from a non-internet source presumably, magazine cover CDs perhaps ?))

Security Enhanced Linux?

[HuskyDog]

If I download and install the NSA's Security-Enhanced Linux (having checked the source carefully for back doors) am I then safe from Magic Lantern?

It seems to me that sooner or later these two government projects are going to come into conflict and it will be very interesting to see who comes out on top.

and then...

[archen]

[fbi.exe has preformed an illegal operation]

dammit, how many times do I have to reinstall this thing before it works?!

Refinement

[dmaxwell]

Put a copy of Tripwire on the CD-R and occaisonally boot from it to confirm the integrity of the OS on disk. There could even be a script to run diff on a pair of files if Tripwire notices something screwy. I wonder how long it's going to be before their little keylogger gets very loudly posted to USENET.

Re:What about your compiler?

[bowronch]

Interested parties should read this article... Ken Thompson created one of the coolest back doors ever... Compile the compiler to introduce code that creates a login backdoor every time login is compiled, and code so that everytime the compiler itself is compiled, the hack goes into the binary... after one compile, the hack isnt in the source... "Reflections on Trusting Trust"

Legal question

[Guppy06]

So, if I discover I have Magic Lantern on my computer, can I sue for an electronic attack, illegal search and siesure, or both?

Re:Never claimed it would be easy.

[4of12]

make sure the publisher's public key is really the publisher's

Aye, there's the rub!

It really takes an independent confirmation route to verify the veracity of some random downloaded package.

It galls me to no end seeing a download site providing "one-stop" authentication: here's the package, here's the signature, here's the key!

Proving identity and authenticity in this kind of environment would be improved if there were multiple authorities for one to use. Anything else subjects you to the risk of living in Dr Morarty's HollowDeck, if you remember that particular episode of Star Trek TNG.

The network downloaded packages have to be verified independently, using

• public keys burned on the CD distro you bought for cash, on impulse, in a random location,
• additional public keys on floppies that you wrote from an entirely different computer and network connection,
• phone calls verifying fingerprints of keys
• many, many open certifying authorties that are not run by governments or corporations with vested interests that would be harder to compromise en masse,
• users that are less inclined to sacrifice security for convenience

Nothing is perfect, but you can tighten things down to the point where your spoofability risk is less.

What I would like to know

[Srin+Tuar]

You're damned if you do and you're damned if you don't, because you need to download the wuftpd-of-the-week sometime.

What I would like to know is how many terroists insist upon running anonymous ftp from their warboxen.

Maybe if you simply turn off the unnecessary services that you never use, it wont be as much of a problem.

Re:Correction

[mikethegeek]

You are correct, though it was the Janet Reno/Louis Freeh FBI/DOJ that not only failed to prosecute FBI agent Lou Horuchi, but they promoted him...

Proving that such things are nonpartisan, ie: BOTH parties are equally corrupt and hostile towards civil rights. The period of `92- has seen an unacceptable escalation of violence against citizens by the government.

Brave New World? ( or 1984 )

[CoreDump]

I'd think that this type of behavious by the government is more akin to that of Orwell's _1984_ than to Huxley's _Brave_New_World_.

Now, if they ( the ever ubiquitous "they" ) were putting drugs ( got soma? ) into the water, then it'd be more similar to BNW, but instead it's the Government furthering it's ability to monitor the activities of it's citizen's, which strikes me as much more Orewllian.

Okay, back to your regulary scheduled MS sucks/Linux rules/I hate Katz ranting.

Remember, "a gramme is better than a damn!" :)

Timing

[ruck]

Does anyone else find it interesting that this was announced at the same time the Bin Ladin tape was released? I just visited CNN, and off to the side of the big story, I saw little links telling me that the U.S. has just pulled out of the ABM treaty, the army has admitted to producing anthrax in Utah, and that the FBI has confirmed the existence of Magic Lantern... unbelievable.

Re:Two things.

[ImaLamer]

If you've got something to say, just come out with it.

I don't want you to hint around... what the fuck are you saying?

I just thought of an Idea, and I know no one

[firewort]

Here's my thought:

bootable OpenBSD cd that has the normal desktop OS packages on it, so that I can boot into an X session from the CD.

It will use tmp space on the hard drive or RAM for working within (emails, documents, etc.) and save to floppies or CDR if I must.

If I get magic lanterned during a session, all I have to do is reboot (dumping RAM and tmp space) and keep going.

So, while not perfect, it will keep me from being keylogged for long, even if security through obscurity (openBSD) fails me.

Now, if Plan9 or Atheos were me choice, and able to do this, I'd be pretty well obscured from magic lantern. I wonder how good OpenStep would be at this?

Re:Never claimed it would be easy.

[kinkie]

Hehe. You have a point.

The topic I was covering was the one where somebody tried to spoof the distributor to install a troyan.

Your scenario is an entirely different story :)