FBI Remotely Installs Spyware to Trace Bomb Threat

cnet-declan writes "There have been rumors for years about the FBI remotely installing spyware via e-mail or by exploiting an operating system vulnerability from afar — and now there's confirmation. Last month, the FBI obtained a federal court order to remotely install spyware called CIPAV (Computer and Internet Protocol Address Verifier) to find out who was behind a MySpace account linked to bomb threats sent to a high school near Olympia, Wash. News.com has posted a PDF of the FBI affidavit, which makes for interesting reading, and a summary of the CIPAV results that the FBI submitted to a magistrate judge. It seems as though CIPAV was installed via e-mail, as an article back in 2004 hinted was the case. In addition to reporting the computer's IP address, MAC address, and registry information, it also gave the FBI updates on which IP addresses the user(s) visited. But how did the FBI get the spyware activated and past anti-virus defenses? Two obvious ways are for the Feds to find and exploit their own operating system backdoors, or to compromise security vendors..."

Re:Where's the provision for any federal police sq

[Attila+Dimedici]

Congress does a lot of things that are not authorized in the Constitution..Social Security, Department of Education, and on and on. Many of them are "good" things. Personally, I heard a suggestion a couple of years ago that I think would be a great idea: before Congress can consider any Bill, it must contain a clause which states where in the Constitution Congress is given the authority to legislate on this particular topic. This would eliminate a lot of laws from even being considered and make it easier to determine the Constitutionality of a law. If said clause of the Constitution does not actually extend said authority, the judge can readily declare it unconstitutional and if Congress wants to authorize it based on some other clause of the Constitution, they can start over.

Read the real version of the story

Declan not only ripped this story off from Wired without attribution, he got it wrong. There's no way the police could have emailed the tracking software to the kid as an attachment. Myspace doesn't allow attachments. Want to see the real story with real reporting: try the original story here: http://www.wired.com/politics/law/news/2007/07/fbi _spyware

NSAKEY

[bill_mcgonigle]

... FBI (and some if-it-will-save-one-child-it-is-worth-it legislators) demand all the OS vendors to install backdoors so that it can come in and install whatever spyware it wants to be installed?

Where have you been?

NSAKEY

[Kadin2048]

Microsoft denied it, they said that the key's variable name being called "NSAKEY" was just an ... uh, you know ... coincidence.

http://en.wikipedia.org/wiki/NSAKEY is a good primer.

It was covered extensively at the time by the likes of Bruce Schneier and others, his comments said:

Suddenly there's a flurry of press activity because someone notices that the second key in Microsoft's Crypto API in Windows NT Service Pack 5 is called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes.

I don't buy it.

First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, or 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption by attacking the random number generator than it is to brute-force the key.

Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to compromise security.

Third, why in the world would anyone call a secret NSA key "NSAKEY"? Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert.

I think the jury is still out on exactly what was really going on; if it was an NSA backdoor, it was a pretty boneheaded one. Alternately, if it was just Microsoft being redundant, then it shows that they didn't plan very well and don't seem to understand security very well. Given the choice between the two, I think boneheadedness on MS's part is more likely.

Re:Occam's razor at work

[PPH]

Assumption 1: He doesn't know jack about computer security like 99% of the users out there and simply clicks everything sent to him.

Most likely the case.

However:

Assumption 2: The FBI keeps a hole open in Windows that only they know about.

Why is Microsoft's DoJ settlement supervised by a FISA court judge (Kathleen Kotar-Kelly). These judges are the only ones cleared to review cases where espionage techniques may be revealed and there is a need to keep such information out of the public record.

Assumption 3 includes that every AV vendor on this planet knows about the hole/malware and keeps his mouth shut.

AV vendors implement searches for 'well-known' virii. Suff that is widely propagated by script kiddies or phishing attacks that depend on wide distribution so that a minute response rate will be profitable. Professionally written spyware that is designed to be targeted to individuals or small groups is rarely detected. It isn't particularly difficult to tweak spyware to evade AV scans as long as you don't have to distribute millions of copies.

Assumption 1 is probably correct but don't count on AV software to protect you if the FBI wants to peak at your system. You could lock down your system so as not to be susceptible to e-mail or web page attacks, but that cripples a Windows system to the point of being unusable for the sorts of things most MySpace users value.