Slashdot Mirror
FBI Dad's Misadventures With Spyware Exposed School Principal's Child Porn
nonprofiteer writes "This is a crazy story. An FBI agent put spyware on his kid's school-issued laptop in order to monitor his Internet use. Before returning the laptop to the school, he tried to wipe the program (SpectorSoft's eBlaster) by having FBI agents scrub the computer and by taking it to a computer repair shop to be re-imaged. It somehow survived and began sending him reports a week later about child porn searches. He winds up busting the school principal for child porn despite never getting a warrant, subpoena, etc. The case was a gift-wrapped present, thanks to spyware. A judge says the principal has no 4th Amendment protection because 1. FBI dad originally installed spyware as a private citizen not an officer and 2. he had no reasonable expectation of privacy on a computer he didn't own/obtained by fraud."
...the spyware surviving a cleaning by a computer repair shop and the FBI...
Do not look into laser with remaining eye.
Shouldn't the shop that supposedly "re-imaged" it busted for fraud? One also might wonder why an FBI agent is using internal FBI resources to "scrub" a non FBI machine that isn't part of an investigation. Finally, these morons don't know about DBAN???
So let me guess: the guys's name is Stan, the kid's name is Steve and the principal is called Brian?
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Every law enforcement parent will install spyware on his kids' school computers and "forget" to remove the spy software.
The story enclosed within this one is that (a) the FBI is unable to effectively scrub FBI spyware installed by an FBI agent, and (b) the computer repair shop charged an FBI agent to scrub and reimage a laptop, and then apparently just moved it from the To Do shelf to the Done shelf.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I was originally going to post that TFA makes it clear that this was a case of a person who happened to be employed by the FBI, finding himself in this situation, but is just described by TFS as "an FBI agent" — it made me wonder whether someone should be defined by their employer.
It rather broke down for me when TFA starts saying how he got "all flashy with his FBI badge" to investigate, rather than just reporting it to the police — is this really still just someone acting as a father?
the prinicipal was a moron for using a school computer. if it was his own computer then a search warrant would apply.
a cop kicks a door in and finds pot.
Cop to judge: "I did it as a private citizen!"
Judge: "Ok then. This is admissible."
So, I wonder what would happen to me if I shot that cop busting down my door as a "private citizen"?
It doesn't matter anyway. When it comes to child porn, taxes, drugs or terrorism, you are guilty until proven innocent. Where are the Ben Franklin dressed Teapartiers? Why aren't they out there preaching their message about freedom over this erosion of our liberties? Or it folks are so afraid on being on the side of a consumer of child porn that they won't dare say anything?
Here it is folks the slippery slope and it's happening.
I hear 90% of all statistics are made up.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
FBI agents AND a computer repair shop couldn't wipe a disk?
Not buying it.
https://www.accountkiller.com/removal-requested
I won't lie: any day one of these child porn scumbags is caught is a good day. Even so, the story makes no sense. The FBI doesn't know how to remove Spyware? Any technician worth their salt would run DBAN and that would be the end of it. Yet the FBI went though what sounds like a two step process to wipe this thing, yet failed? I'm not buying it. At the same time though, I have no idea why this guy would have any reason to suspect that the principle would immediately start using his son's laptop upon return, nor any reason to think he was looking at child porn. This story is such a hodgepodge of plausible and impossible... I need a freaking drink.
Only about 70% of the time.
Lost at C:>. Found at C.
> by having FBI agents scrub the computer and by taking it
> to a computer repair shop to be re-imaged.
wow..... um.... I am really curious as to how it did this. Something smells fishy. I can understand it surviving a "scrub", since anyone who does systems work should know that there are many places in a modern os to hide, and unless you know exactly what it does and how it hides, its impossible to say for sure a system has been cleaned.
However, the pc shop? maybe they didn't really "re-image" it, but instead did their own quick "scrub" and ran something like sysprep?
Otherwise maybe they just did a reinstall from a hidden factory reinstall partition? I could see something hiding up in there but....
I dunno, it seems like it HAS to be something along one of those lines. Aside from that...if it really was incidental...well.... accidents do happen, and sometimes they end up biting the best possible people.
In any case, I think the circumstances do sound fishy, and in no way should what he caught excuse what he did if it wasn't accidental, so there should be serious investigation into that too....but I could see that just turning up technical incompetence rather than malfeasance....
That is, unless it turns up fraud on the part of the PC Repair shop.... very likely they did not do the job they were paid to do.
"I opened my eyes, and everything went dark again"
The "FBI" didn't wipe his computer. He simply asked his co-workers for some help. Apparently neither he nor they were particularly tech-savvy so he took it to a computer shop. He probably asked the shop owner to remove "all of my kid's games and stuff". I imagine that this spyware tries to mask itself so that kids cant just find it and uninstall it. The shop owner probably just uninstalled all of the "games and stuff" and then returned it.
The problem is that a person who was so confused by removing software that he had to go to a "computer shop" is trying to tell you what he did. He didn't get the FBI to clean the machine, he simply asked his co-workers who didn't know either. This also happened in Saipan, not New Jersey. The FBI has a small office, not a high tech lab.
The FBI agent screwed up by not notifying authorities immediately(he tried to solve the case himself), but he was probably concerned that the evidence wouldn't hold up in court. Lucky for everyone, the Judge seems like he was willing to stretch the letter of the law to punish a clearly guilty man.
The main way that rootkits survive a total hard disk format is because they're running at the time - any decent rootkit is more than able to stop a simple format from removing it simply by intercepting any parts of the format which target it, and returning OK signals. They'll usually survive a low level format in the same manner. "Whats that? You want to change one of my bits to 0? Okay.. umm.. Done! *cough*". You can generally reliably remove rootkits by taking the drive out, putting it into an external drive bay (so its not present on a PC while booting), connect the drive when your PC is started up and then format it with none of its code executing.
:P
However, if the FBI or PC store simply formatted it through, say, re-formatting the drive by running the Windows setup disk, then a kernel level rootkit would happily stay in-tact in this manner. In fact, to spot it, you'd really have to use some imaging software with comparison checksums so that after the the imaging it can make sure everything is as it should be. While the rootkit can happily inform that "nothing is there", it can't predict what should be there in an imaged drive, and would be caught out that way. However - thats not how 99% of us format drives, especially since most don't have MD5d images of other peoples hard disks, or don't put them in external caddies before doing so.
"The true measure of a person is how they act when they know they won't get caught." - DSRilk
Only about 70% of the time.
"Don't believe everything you read on the Internet." - Abraham Lincoln
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
All newly sold computers in the United States will actually be pre-owned by FBI agents' family members. Full story at eleven.
The main way that rootkits survive a total hard disk format is because they're running at the time - any decent rootkit is more than able to stop a simple format from removing it simply by intercepting any parts of the format which target it, and returning OK signals. [...] if the FBI or PC store simply formatted it through, say, re-formatting the drive by running the Windows setup disk, then a kernel level rootkit would happily stay in-tact in this manner.
If they used the Windows setup disk to nuke the drive, how did the rootkit get on the DVD? How did the rootkit stay running after a reboot? You're almost on the right track, but BIOS/EFI infection is the answer you're looking for (or HDD firmware). The rootkit has to be running before any OS boots up. Even a boot-sector virus won't survive a disk-wipe, so there had to be a re-infection method.
Everyone seems to be assuming at least one of two things: 1. That the FBI is lying about not knowing how to remove software. 2. That the computer repair shop he took it to lied and didn't do the work. While both are possible, they aren't the only explanations. First of all, not every member of the FBI is an IT professional. They probably have plenty of tech-illiterate employees in their ranks. I have met a lot of people that are geniuses when it comes to their own trade but are absolutely helpless the second their PC has a problem. It isn't everyone's forte. Secondly, just because the shop he took it to failed to remove the software doesn't mean it was straight up fraud. Believe me when I say that some computer repair "professionals" really are that incompetent. My guess would be that the place was disorganized and the machine ended up in their "finished" queue without being worked on, or the tech that worked on it didn't know the difference between an actual reimage and a repair install or in-place upgrade.
You can generally reliably remove rootkits by taking the drive out, putting it into an external drive bay (so its not present on a PC while booting), connect the drive when your PC is started up and then format it with none of its code executing.
Why go through that much trouble?
Just stick a bootable optical disk with formatting tools on it in, boot from it, and then format the infected drive. No code from the drive will be running so any rootkit on the drive will be overwritten.
I don't know how the Windows setup disk works, but I find it hard to believe it'd start running the kernel that's on the disk drive that you want to format. Certainly a Linux install disk would work just fine.
A BIOS rootkit would be a different kettle of fish.
The enemies of Democracy are
They can't unless you provide the system image from the MFG or have your own system image, or have your own software discs, licenses, etc.
... or they download the generic Windows ISOs from Microsoft, which can be activated with any valid key.
That's what I do, anyway.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Dear random slashdot user,
The government isn't out to get you. They have better things to do. This story is anecdotal and at best a good laugh since some good came from it. Please refrain from making generalized statements about things you know zero about.
Thanks,
People who actually have dealt with the FBI