Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Secret History of the FBI's Classified Spyware

Posted by timothy on from the but-we-just-want-to-peek dept.

An anonymous reader writes "A sophisticated FBI-produced spyware program has played a crucial behind-the-scenes role in federal investigations into extortion plots, terrorist threats and hacker attacks in cases stretching back at least seven years, according to newly declassified documents obtained by Wired.com. The so-called 'computer and internet protocol address verifier,' or CIPAV, is delivered through links to websites controlled by the FBI, and it silently reports back to a government server in Virginia. Among other cases, the FBI used it to track a Swedish hacker responsible for cracking thousands of computers at national labs and NASA's JPL in 2005."

15 of 133 comments (clear)

  1. The Ends Don't Justify The Means by QuantumG · · Score: 4, Insightful

    How is this not breaking the law?

    Breaking the law to enforce the law.. way to piss on justice.

    --
    How we know is more important than what we know.
    1. Re:The Ends Don't Justify The Means by tygerstripes · · Score: 3, Insightful

      In the same way that police regularly assault, kidnap or otherwise harass citizens?

      Look, I'm not saying I disagree with you, but you need to refine the ethics of your argument a bit if you want to make a useful point. Unless you were just hoping to bash out something that sounded relevant in order to FP...

      --
      Meta will eat itself
    2. Re:The Ends Don't Justify The Means by WCMI92 · · Score: 3, Insightful

      "How is this not breaking the law?

      Breaking the law to enforce the law.. way to piss on justice."

      I've always been skeptical about this and other tricks used by the FBI and other law enforcement. The Constitution is QUITE clear that a search of private property requires a warrant.

      Another thing that has always bothered me is that law enforcement lying to citizens is routine and legal, but lying to law enforcement is a crime (even if you don't know the person you are talking to is law enforcement).

      Seems to me that if the government wants us to respect the FAR too many laws on the books that it should start following them itself. And that starts with respecting the Constitution.

      --
      Corporatism != Free Market
    3. Re:The Ends Don't Justify The Means by bconway · · Score: 4, Informative

      RTFA.

      But the documents released Thursday under the Freedom of Information Act show the FBI has quietly obtained court authorization to deploy the CIPAV in a wide variety of cases, ranging from major hacker investigations, to someone posing as an FBI agent online.

      --
      Interested in open source engine management for your Subaru?
    4. Re:The Ends Don't Justify The Means by Shakrai · · Score: 4, Insightful

      So if they obtained court authorization to deploy Sarin gas that'd be ok too right?

      Wow, hyperbole much? How is installing software on someones computer with court authorization to monitor their behavior any different from using the warrant to obtain a wiretap or using it to search their home and possessions?

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    5. Re:The Ends Don't Justify The Means by rackserverdeals · · Score: 4, Funny

      Wow. You totally sidestepped the Sarin gas question.

      You must think it's ok to eat babies too.

      --
      Dual Opteron < $600
    6. Re:The Ends Don't Justify The Means by Shakrai · · Score: 5, Funny

      Only if you season them right :)

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    7. Re:The Ends Don't Justify The Means by vertinox · · Score: 3, Insightful

      How is installing software on someones computer with court authorization to monitor their behavior any different from using the warrant to obtain a wiretap or using it to search their home and possessions?

      I think the problem is that they posted the monitoring tool to a website where anyone could come across and get infected and get monitored.

      In those instances, there was no prior suspicions that is needed for a warrant. You cannot randomly search 100 people's houses hoping to find a criminal the same way you can't put software out there to find out whether or not these people are the criminal.

      In fact... TFA says the FBI agent was disappointed when the person they hope to infect was not infected so I'm assuming others were who were not the target of the warrant.

      --
      "I am the king of the Romans, and am superior to rules of grammar!"
      -Sigismund, Holy Roman Emperor (1368-1437)
  2. Linux version? by MrKaos · · Score: 4, Funny

    I wonder if they have a Linux version?

    --
    My ism, it's full of beliefs.
    1. Re:Linux version? by srollyson · · Score: 4, Insightful
      This paragraph from TFA is telling:

      In a separate February 2007 Cincinnati -based investigation of hackers who'd successfully targeted an unnamed bank, the documents indicate the FBI's efforts may have been detected. An FBI agent became alarmed when the hacker he was chasing didn't get infected with the spyware after visiting the CIPAV-loaded website. Instead, the hacker "proceeded to visit the site 29 more times," according to a summary of the incident. "In these instances, the CIPAV did not deliver its payload because of system incompatibility."

      Seems like the FBI exploits browser vulnerabilities a la the Pwn2Own contest in order to deliver CIPAV, but CIPAV itself might not run in linux. I suspect that the FBI will have written a linux-compatible CIPAV after the quoted incident. Probably a bash or perl script so they don't have to worry about different architectures.

      On a side note, there was probably some good porn on that page for the hacker to load it 30 times.

  3. Re:RIAA software by WCMI92 · · Score: 5, Insightful

    "FTA :

    "After sending the information to the FBI, the CIPAV settles into a silent "pen register" mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every server to which the machine connects. "

    Let's hope the RIAA doesn't get it's hands on this."

    What I'd like to see is an open source antivirus/antispyware suite that WILL detect this. I own my computer, not the government, therefore I have a right to know what is running on it and to decide what is and isn't going to run on it.

    I don't think it is any of the government's business what websites I go to, what blogs I post on, and for that matter, what porn I download.

    Given some of the scary things coming out of the "O"ministration lately (such as the recent homeland security advisory painting people who support the right to own firearms and who object to the outrageous spending going on as "rightwing extremists" and "potential terrorists" I think I and others have a legitimate fear that we may be targeted for such spyware for political reasons.

    That's why I opposed and still oppose the patriot act... Not because I am against going after the actual JIHADI terrorists who have and are attacking our country, but because government abuse of it and turning it on law abiding citizens was inevitable.

    Note that Obama isn't doing anything to repeal the patriot act (which he used to object to). He wants that power just as much as Bush did.

    --
    Corporatism != Free Market
  4. Nothing essentially wrong here... by rabbitthought · · Score: 3, Informative

    As previously stated, it's not really different from bugging the home or car of a suspected Mafia boss/drug dealer/etc... As long as it's backed up by a court order, of course. It obviously interferes with the right for privacy, but that's why there are mechanisms which should take into account all factors before allowing such interference (i.e. courts and judges). If the system is malfunctioning, it should be fixed - but this doesn't mean that it isn't right. BTW, this CIPAV isn't really news - it's wikipedia page is 2 years old...

  5. Re:RIAA software by WCMI92 · · Score: 3, Interesting

    I don't think you are paranoid and I don't trust them one damn bit not to abuse this neat little toy that the FBI has. My point was meant to respond to all the people who are claiming that the FBI shouldn't even have this toy -- would it really bother if you it was used in conjunction with a warrant to monitor a Tony Soprano?

    I'm not saying they shouldn't have it and that it shouldn't be used WHEN proper authorization is obtained in accordance with the Constitution, WITH proper supervision, and LIMITED, as the 4th Amendment requires, to "particularly describing the place to be searched, and the persons or things to be seized". It sounds to me from the article that the FBI is capturing ALL activity with this, even that which is unrelated to their authorized investigation. There is no way that is within the letter or spirit of the 4th Amendment.

    The "right wing extremists" report was extremely troubling. It was a whole bunch of "coulds" with no specific information and a warning to watch out for returning veterans and firearm owners. WTF?

    Well, the current administration has grabbed more power in 3 months than the government has in 30 years. Clearly, they are afraid that opposition to that (and future planned power grabs) is going to do nothing but grow, and that it's naturally going to come from the people who would be classified as being "from the right" and the people they will naturally have to FEAR (and government fear of the people as an incentive to obey the Constitution's restrictions on their power IS the actual purpose of the 2nd Amendment) are people who own firearms.

    I know it sounds crazy, and hopefully is, but when you combine the "perfect storm" of a major economic crisis, single party control of government, and a desire to impose more central control (healthcare, industry, etc) with the patriot act which gives that single party the actual AUTHORITY to investigate and even arrest their opposition on a whim we very well might be the closest we've ever been to a Hugo Chavez type authoritarian coup.

    And watching the major media drool over "Dear Leader" to the extent that they do is disgusting. What happened to the skepticism and criticism of the government? Is there not just as much a need for journalists to investigate Obama as they did Bush, especially when he's asking for unprecedented power and control? Or does it matter only when the agenda doesn't suit the personal beliefs of the media?

    --
    Corporatism != Free Market
  6. The Comments Don't Match the Article. by Eevee · · Score: 5, Informative

    The Constitution is QUITE clear that a search of private property requires a warrant.

    From the fine article, emphasis added by me: "But the documents released Thursday under the Freedom of Information Act show the FBI has quietly obtained court authorization to deploy the CIPAV in a wide variety of cases, ranging from major hacker investigations, to someone posing as an FBI agent online."

    And from further down in the article: "The FBI obtained a warrant to use the CIPAV on February 10, 2005, and was apparently successful."

  7. Re:But if it works based on clicking links... by work90usdfjsldf9 · · Score: 3, Informative

    *Sigh* Please RTA.

    One person was sent the URL in a private myspace chat. Another was trying to extort the cable companies and had given them a private URL (presumably something like www.comcast.com/skldflksdf/freemoney4me.html) to post their response to. The FBI then set up that page to use a browser exploit to install the logger.

    All instances were done under court order with almost the same restrictions and provisions a normal wiretap would have.