Slashdot Mirror
FBI Confirms Magic Lantern Existence
The_THOMAS (and many others) writes: "A day after major
anti-virus firms waffle on their support for 'Magic Lantern', and nine days
after Thomas C Greene of The Register tried to throw cold
water on it's existence,
the FBI Confirms
the 'Magic Lantern' Project Exist. Welcome to a Brave New World!"
I'm not worried about Magic Lantern. I'm worried about the stuff we haven't heard about yet. Really, if the FBI wants to spy on citizens (or criminals for that matter) there is no way they would let their ideas be known.
Everytime you look at porn a devil gets their horns.
You know, this Magic Lantern thing will sure make life boring. Whatever happened to the good ole days when the feds actually had to sneak in your house and plant a bug inside your coffeemaker (like in all those cool 80s action movies)? Man the feds are sure getting lazy.
Look, guys. It's simple.
Get a warrant. I'll show you anything you want to see, but show me your goddamn warrant first. Until you have it, you have no right whatsoever to search my, or anyone else's computer. I don't care what your reason is. This is not acceptable.
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Why were they honest about it now? Simple: this is the best political climate the FBI could have asked for to reveal something like this.
:grin:
Surveys show that most people, given the 9-11 attacks, are more than willing to trade freedom for security.
"A recent ABC/Post survey found two out of three people expressing willingness to surrender 'some of the liberties we have in this country to crack down on terrorism.' Cole attributes this not only to a heightened concern for safety, but to the fact that the majority are not generally affected--that is, it's not their relatives being detained and questioned." (Taking Liberties: Fear and the Constitution)
"At times like this, a democracy must balance its need to protect itself with the freedoms that define it. Last week's terrorist attacks have raised the debate pitting homeland defense against civil liberties to a level not seen since World War II." (For now, security trumps liberties)
"From the very first surveys after the World Trade Center and Pentagon attacks, most Americans told pollsters that the country would have to give up some rights to fight terrorism (79 percent in a CBS/New York Times poll in September). A Gallup survey conducted Nov. 26-27 found six in 10 Americans who said the Bush administration has been 'about right' in its limits on civil liberties, as opposed to 10 percent who said the administration had gone too far and 26 percent who think it hasn't gone far enough." (Public Supports Domestic Crackdown on Terror)
After all, if you're innocent, what do you have to worry about anyway?
Most major vendors (with the notable exception of Debian =( ) sign packages using GNuPG. You can check these signatures using rpm. There is no need to get Eric raymond to sign stuff (and he's supposed to read all the source code, then build all the packages on his own machines? excuse me?). I suggest reading the following two security advisories, which point out some mistakes that have been made, and one possible attack, but also largely corrected by vendors, and can be easily verified by users with minimal effort.
Devil in the details - why package signing matters
Red Hat 7.2 GnuPG signed RPM verification fails on distribution files
RPM PGP/GnuPG verification bug
You, sir, are not merely a troll, but an expert troll, and I applaud you for a job well done! Thanks for the best laugh I've had this thread.
References: Slashdot article: Don't Trust Code Signed by 'Microsoft Corporation'
Microsoft bulletin detailing story of VeriSign issuing two Class 3 code-signing digital certificates to an individual fraudulently claiming to be a Microsoft employee: Erroneous VeriSign-Issued Digital Certificates Post Spoofing Hazard
I wish more people would actually read Huxley's "Brave New World" before applying that phrase everytime government gets a little out of control.
Seriously, "Magic Lantern" and all the other privacy-invasive technologies used to snoop on private citizens are still a far cry away from the world of "Brave New World." After all, we still possess enough of our wits to question whether these steps are necessary, legal, and ethical. The folks in "Brave New World" didn't even go that far.
We are much closer to Orwell's "1984" then we are to "Brave New World." And I'm not sure which is the more frightening.
In 1984, the government had to force people to behave using the classic methods of tyranny. In Brave New World, the citizens were kept so damn happy that they would never question that the government didn't have their best interest in mind, regardless of what it did.
Remember: in 1984, our protagonist was someone from withen the society who began to realize what a living hell he was in and began to try to do something to better his condition. In brave new world, our protagonist was someone how came from outside of the society, having been raised on a "reservation". It was only because of this distance from the reality of the "Brave New World" society that he was able to see how awful it truly was.
There's a homily about how, when everyone is a lawbreaker, government has total control over everyone -- there will always be a pretext for detaining any person.
As another poster mentioned, it is quite likely that none of us would like to have all of our keystrokes made public -- some of our innermost thoughts go right through our keyboards, and Magic Lantern wouls apparently make no distinction between keystrokes that you intend to publish on the web, and those intended to stay private (financial info, personal letters, diaries, medical correspondence). If you think this sort of tapping would only occur under warrant, you aren't following the latest news.
Since 9/11, we already see our government detaining people for more extended periods of time even when the detaineee has not been accused of a crime, refusing to share the evidence against those detained, and the Dept of Justice is even, per AG Ashcroft, allowed to monitor conversations between people in custody and their lawyers. That last one applies to everyone, and is not limited to suspected illegal immigrants.
This is the top of a very slippery slope. If we give away rights to privacy in our homes and with our legal counsel, we will never get these rights back.
"A man who gives up some of his liberty for a little temporary safety deserves neither liberty nor safety." - Benjamin Franklin
"Whether or not legislation is truly moral is often a question of who has the power to define morality." -- Jerome Skolnick
It seems to me that keeping Magic Lantern from working should be fairly easy for any terrorist who knows that much about it. He could have the computer that he writes and encrypts whatever it is he wants to send out disconnected from any network. Once the (let's say) email is written and encrypted he puts it on a disk goes over to another computer hooked up to the web and sends it off. Terrorist number two recieves it on one computer, puts it on a disk, loads it onto a disconnected computer, and decyphers the message using his key for the encryption scheme they used. This way, no computer that has the encryption on it (and thus the keystrokes) is hooked up to the internet and so can't get magic lantern. And if it somehow was infected, magic lantern would have no way of sending the info back to the FBI. Am I wrong? Shouldn't this work?
"A witty saying proves nothing." - Voltaire
Once again the old adage proves true. If we fund fundamentalist, paramilitary, or resistance groups in far-off countries, they're "freedom fighters." If someone else funds them, they're "terrorists."
If someone puts a trojan or virus on your machine to spy on you, it's "cyberterrorism."
If the government puts a trojan or virus on your machine to spy on you, it's "domestic security."
Maybe I enjoy surfing porno websites. Maybe I work for a Fortune 100 company and have trade secrets on my computer. Maybe I'm secretly gay and that fact could be gleaned from my online habits. Or, hell, maybe I run the world's biggest cocaine trafficking ring over the internet. (Obligatory disclaimer, all of these situations are bogus.) It doesn't matter what I'm doing; without a warrant, the government has no more of a right to come in my house or my computer than a bum off the street.
The problem I see with Magic Lantern, vis a vis conventional searches, is that the potential for abuse is far too great. When the FBI raids a house, it's rather obvious. Maybe the person is at home, or the neighbors see it going down, etc. Makes it pretty difficult for them to just bust in any old house they want, without a warrant; and makes it pretty embarassing if they happen to screw up and raid the wrong house. This is (at least in my mind) a fairly good check and balance to ensure that the FBI isn't raiding houses on a whim.
What happens, though, if they bungle and put Magic Lantern on the wrong person's computer? It's a valid threat; if fucking bomb coordinates can be transposed, so can a suspect's IP address. What if Magic Lantern winds up on your computer or mine, even though we aren't doing anything illegal? There are no neighbors to see it happening, there is no embarassing story on CNN about the snafu, but before I know it, those corporate trade secrets on my computer are now in the government's hands. (IIRC, it was objection to exactly this type of risk that got France in a mess when they banned encryption.)If there are terrorists at the mall, I at least have the choice to stay home and avoid them.
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Of course, I wonder just how far the Fibbies will actually go in doing this. Most criminals are stupid. Hell, al Qaeda stood out like a sore thumb, it's just that most modern Americans have had their senses so dulled by television and government schools that nothing makes them paranoid anymore....
Sure, our hero slapped something together that dropped a back door in nothing flat. How many guys that smart are going to go work for what Uncle Sugar pays? How many of the ones that are smart enough actually know something about Linux?
And then there's the question of sheer manpower. Sure, they can tap your data, but who's going to go thru all that crap? They simply don't have THAT many Beowulf clusters....
If I was Ashcroft, I'd settle for netting all the Windows users, and worry about all those other OS's if and when I had a specific hard target. Once they hard-target you, you're a goner anyway; if they can't get what they want by giving you a Windows virus, they're just gonna come bust your door down. Meanwhile, I think most of us non-Windows users are relatively safe from any fishing expeditions the Fed might want to do on our hard drives.
And so it is that the umpteen zillion different distros of Linux becomes one of its advantages....
Besides, Red Hat has already let on that it's not going to play ball; remember that early release of a security patch (was it wu-ftpd?) that caused the flap a few weeks back? I think Bob Young and company had a lot of balls for doing that; it shows that his loyalty is to his users, and not to some calbal in some smoky chat room... I hope and pray and offer virgin sacrifices that it stays that way. Of course, there's also OpenBSD; Theo, cagey bastard that he is (and I *like* cagey bastards in these situations), isn't going to play cloak and dagger with *anyone*. I figure if anyone *tried* he'd raise six kinds of hell.
Bottom line, folks, there are more of us than there are of Them; they can't get to us all. And try and remember, if they do try to get to you, your first obligation is to escape and warn the rest of us. We have to hang together... lest we all hang separately.
Magic Lantern is nothing new.
It's the networked computer-version of a phone wiretap.
In both cases, permission to use either information-collecting method has to be authorized first by a court-order. From the article [news.excite.com]:
When asked if Magic Lantern would require a court order for the FBI to use it, as existing keystroke logger technology does, Bresson said: "Like all technology projects or tools deployed by the FBI it would be used pursuant to the appropriate legal process."
...which is legalspeak for "Yeah, as long as wiretaps require court orders, so does Magic Lantern."
I can't believe the number of posts comparing the introduction of Magic Lantern to a civil liberties meltdown getting +1 Insightfuls. They're about as insightful as the patriotic idiots who'd allow government agencies unchecked freedom to invade private citizens' lives in the name of antiterrorism.
The citizens of the US have a responsibility to watch over the actions of its government, to serve as a check against the growth of abuse of power. Melodramatic statements like "Welcome to a Brave New World!" and knee-jerk antigovernment statements like "Trust the FBI to abuse this the minute they get it" merely serve to marginalize and decrease the credibility of those that speak out against government agencies becoming too unfettered.
Am I afraid that Magic Lantern may someday be abused? Well, yeah, but I'm a lot more frightened by the potential abuse of "old-fashioned" things like the aforementioned wiretaps and unwarranted searches and seizures than I am of the FBI emailing me an easily detectable and easily deletable script or executable virus. Magic Lantern doesn't strike me as a shadowy menace so much as the amateurish nature of a government agency still in the first steps of dealing with a wired world.
The key to preventing abuse by the FBI and other agencies is not by depriving it of tools to work with, such as wiretaps or Magic Lantern, but to ensure that adequate oversight exists and continues to do so in the future. Spending time and energy protecting and advocating the transparency and accountability of the FBI is infinitely more effective, and more likely to work, than seeking to deprive the FBI of intelligence-gathering tools to work with.
Light a fire for a man and he'll be warm for a day. Light a man on fire and he'll be warm for the rest of his life.
Why hasn't anyone thought of this before?..
Its a bit insane but think about it..
This would ideally be applied to jxtra (www.jxta.org) - suns peer to peer protcal layor (different things can be put ontop, like a web browser, a IM message,file sharing, etc).
Have the a key/checksum on the file itself. Then to authenticate, connect to the p2p network. Each host would have their own UNIQUE key. The longer a machine is up the more trust. Nearby machines get the key as well.
So, to authenticate the program goes and finds a bunch of random machines, asks what their keys are and what the key is for the package file. Then, you check the machines keys with other machines to make sure they can be "trusted". This would be a cross between the gpg signing "web" and p2p networking.
So the machines that have been on longer can be trusted more. This is to prevent a machine at the isp to generate new keys on the spot (or use the same one over and over again). It would have to be around for a resonable amount of time (24 hours?).
So each time you check package x, at random a series of "hosts" are asked what their checksums are for package x. For the paranoid, could add some route/different isp checking as well. Let say it asks 20 machines. If all match, then odds are pretty good its correct. Also, each host's key would have to be unique and "trusted". Then you can go out onto 100's (even more?) of hosts to check.
True, (in theory) it would be possiable to fiter for those specific requests, generate a seperate key for a bunch of ip's RANDOMLY and have them authenticate with each other, but that would be quite difficult. In order to do that, they would essentially have your connection severed from the net, with no direct path and on a "virtual" network, in which case your screwed anyway.
It isn't the most efficent way, but probably about as secure as you could get. Well, without being the govenment itself ^_^.
It isn't hard to read. It is available online for free reading. Have a look. I took the time out to read it - and now I know what the parent to this post is on about.
In both cases:
Writing letters to your representatives and starting petitions about strengthening the oversight mechanisms over the FBI makes a lot more sense, just like the FBI using other methods to gather intelligence on criminals makes more sense than banning strong encryption.
Light a fire for a man and he'll be warm for a day. Light a man on fire and he'll be warm for the rest of his life.
This post will probably never be seen since I'm a latecomer to the conversation, but I knew a fellow a few years back that would never be affected by a keylogger. His method would work for bypassing any keylogger, but would probably be most useful to touch-typists as a way to not use the keyboard for entering passwords.
He claimed he was a terrible typist. I couldn't tell though, because he didn't touch the keyboard. He would literally copy and paste every character he entered. While this would be tedious for all typing, it strikes me that would be a good way to enter passwords if you're concerned about a keylogger.
That generally wouldn't work for whole-system logins, but it would work for encrypted files and other "lesser" logins. Copy a letter from this page, a letter from that, paste it in your password box, and I doubt seriously even a macro recorder could follow what you're doing.
I am Australian. I use American antivirus software. There is no indication that Symantec or McAfee are going to protect their Australian consumers from the American government.
Most of this discussion has centred on the FBI invading domestic computers. I am more concerned, not personally, but ethically as a global citizen, with the CIA or another US body using this technique to invade my country's rights.
I have no recompense, short of diplomatic channels, or through whatever (uberexpensive) international anti-espionage laws , at stopping this.
Magic Lantern is a very blunt intelligence instrument. Right now (and the irony is NOT lost on me) all I have to be thankful for is that my sychophantic Prime Minister has been licking Dubwya's scrotum so much lately that Australians are probably far down the list of suitable intelligence targets.
"If you create user accounts, by default, they will have an account type of Administrator with no password." KB Q293834
With all of that in mind, I decided to find out just how vulnerable I was. I set up a stock Debian 2.2r3 box... I went to the Debian box and typed 'apt-get update ; apt-get upgrade'. After a few routine prompts, none of which triggered security alerts, the box was rooted by my "custom" package.
Progeny Linux Systems wrote, tested, deployed, and submitted as patches to Debian, code to implement cryptographic package signatures. Some of the patches now exist in dpkg CVS, but Wichert Akkerman rejected others. Part of it had to do with a command that would prompt you (package maintainer) for your GPG passphrase and cache it so that it could be applied to each binary package (consider how tedious it would be to re-type the passphrase for each binary package in a package like XFree86, which has dozens; moreover, you're no *more* susceptible to a keystroke logger if the passphrase is cached). Anyway, this tool was written in C for security (locked memory pages), but Wichert wanted a version in Python instead, so he never accepted the code.
I never have quite figured that one out.
Anyway, since Progeny ceased development on its own distribution, not much work has been done on our signed package implementation. The code has already been publicly released; maybe it's time for people in the Debian community to take up the fight?
The specification, authored jointly by Ben Collins and John Goerzen, allows for multiple signatures per package. I wrote a policy administration tool called apt-checksigs that would let the user configure the strictness of signature checking on a per-repository basis.
Is anyone interested in this stuff?
Address-collecting spam robots don't know how to crack ROT13. Do you?
It seems to me that sooner or later these two government projects are going to come into conflict and it will be very interesting to see who comes out on top.
Commercial antivirus companies have already bent over and prevented their products from showing COMMERCIAL spy-trojans on scan... (ie, the ones used to spy on employees)
What makes anyone think they won't do the same for the FBI? Simply put, they will.
The answer, of course, is free software. If we had a free software virus scanner/remover, that was completely open source, such tomfoolery would be impossible (so long as you knew how to read the code, or could get someone to do it for you, not that hard to do in the Linux community)
Open source=accountability.
This is why I'm concerned that this sort of thing will end up playing into Microsoft's hands, in getting an increasingly paranoid government, that is absolutely determined to outgun it's citizens in every aspect of life, to get free software made illegal..
Imagine it being ILLEGAL to posess a true open source operating system because it would be the legal equivalent of having a private nuclear bomb.
This is not so farfetched, as a networked computer that the government cannot monitor nor break into is as great a threat to our ever paranoid government AS a nuclear bomb in the hands of a private citizen. The precedent proof is in the fact that the government has made the ownership of weapons that would allow resistance to it illegal (had the same been true in 1776 the revolution would never have suceeded).
I think all who value freedom should oppose a government from being able to impose restrictions on citizens that it will never place on itself, IE, the fact that the GOVERNMENT is allowed to have strong encryption, unhackable (or so they think) computers, networks, etc, to hide information, but that private citizens should not.
How many crimes comitted by our government are hidden in encrypted files on government computers that will never EVER be discovered? Why should we trust a "justice system" that in the past decade has massacred more people without cause (Waco, Ruby Ridge) than at any point since the civil war?
Unlike the days of Woodward and Bernstein, it's likely our government's worst crimes aren't written on paper to find, they are stored encrypted in a computer somewhere. Which means, unless the citizens are allowed to install trojans to go on "fishing" expeditions through our government computers, we will never know.
But, as our government is saying to us, I'll say to them "if you've done nothing wrong, you have NOTHING to fear, right?"
In this, the government is non-partisan. Janet Reno presided over those aforementioned massacres, and John Ashcroft is pushing the current horror. All the more reason to abandon our one-party Demopublicans and vote Libertarian.
=== The price of freedom is eternal vigilance
Now, if they ( the ever ubiquitous "they" ) were putting drugs ( got soma? ) into the water, then it'd be more similar to BNW, but instead it's the Government furthering it's ability to monitor the activities of it's citizen's, which strikes me as much more Orewllian.
Okay, back to your regulary scheduled MS sucks/Linux rules/I hate Katz ranting.
Remember, "a gramme is better than a damn!" :)
---
Segmentation Fault ( core dumped )