Techdirt. Stories about "mcafee"

McAfee Patents System To 'Detect And Prevent Illegal Consumption Of Content On The Internet'

Glyn Moody — Fri, 26 Apr 2013 13:18:00 PDT

As a post on the French site Numerama reminds us (original in French), the department responsible for implementing the three-strikes plan known as HADOPI was also supposed to provide Internet users with information about technical solutions to reduce infringement. That never happened -- instead, the body has preferred to send out warning messages on a massive scale and to seek convictions, even of those who are innocent. But in the meantime, the US company McAfee seems to have obtained a patent on just the kind of thing the French law originally had in mind:

Disclosed are systems and methods for preventing (or at least deterring) a user from inadvertently or directly consuming illegal content on the Internet. For example, determine when a user might visit a site distributing illegal content (i.e., material in violation of a copyright or otherwise inappropriately distributed) and presenting a warning to the user prior to navigating to the identified inappropriate distribution site.

Of course, there are a couple of big issues here. First, who determines whether content is illegal? As Techdirt has reported many times, the only people who can give a definitive answer are judges: anything else is likely to be plagued with errors and arbitrary decisions. Since an ad-hoc system would naturally err on the side of caution, this would inevitably lead to perfectly legitimate sites being miscategorized and thus starved of visitors.

Secondly, even leaving aside that issue, how will the McAfee system "determine" when a user might be visiting a site distributing allegedly illegal content? The patent application describes one particularly dangerous approach:

Various embodiments, described in more detail below, provide a technique for performing a check of a distribution source prior to allowing its content to be downloaded. The implementation could utilize a "cloud" of resources for centralized analysis. Individual download requests interacting with the cloud need not be concerned with the internal structure of resources in the cloud and can participate in a coordinated manner to distinguish potential threatening "rouge hosts" and "authorized distributions" on the Internet.

As that makes clear, the proposed system would basically spy on everything you type into your Web browser, sending off full details of your requests to the cloud for analysis, where they would be checked in some way -- for example, against blacklists or whitelists. The results of that check would be sent back to your system, which might then place suitably dire warnings on your screen about the dangers of proceeding.

Clearly, that is a gross violation of privacy, with huge potential dangers. For a start, the centralized analysis system that the McAfee patent speaks of would be the perfect place to check up on everything that a person was doing on their computer, since all Internet requests would be routed through it. That makes it even easier than it is today for the authorities, who would no longer have to go to several Internet service companies in order to spy on users without the latter being aware of the fact.

Naturally, such issues of censorship and surveillance wouldn't worry the copyright companies in the slightest. If such a system were available, they would doubtless push hard for ISPs to adopt it -- perhaps on a purely "voluntary" basis, just like the new "six strikes" system in the US. Indeed, I'd be surprised if they aren't already having discussions with McAfee on how they can work together for their mutual benefit here.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Permalink | Comments | Email This Story

The Stats Used To Support Cybercrime 'Threats' Just As Bogus As Hollywood's 'Loss' Claims

Mike Masnick — Thu, 2 Aug 2012 12:53:25 PDT

While the latest attempt to pass a cybersecurity bill may be on ice for now, it'll be back... and with it there will be a lot more hyperbole about how urgent this is because of various massive "losses" already happening due to cybersecurity problems. Of course, nearly all of the numbers and claims you hear will be 100% bogus.

For years, we've highlighted stories about how the claims of "losses" from the entertainment industry due to infringement are completely fictitious. In the past, we've seen Julian Sanchez go on a hunt to find the origin of some of the numbers being thrown around, and come up with evidence that they're based on nothing. For example, claims of $200 billion in losses due to counterfeiting... came from a 1993 Forbes article that just makes that claim with no citation and no backing info. But it became gospel among those arguing there was as problem.

With Congress and the President continuing to insist that we need a cybersecurity bill, politicians have been tossing around all sorts of questionable numbers. Just a few weeks ago, we noted that General Keith Alexander, the head of the NSA, had tossed out some numbers and claimed that cybersecurity was the "greatest transfer of wealth in history." Considering that we're living through the aftermath of a financial meltdown that involved a massive transfer of wealth, I find the original claim difficult to believe. Plus, as we noted, he seemed to only cite studies from McAfee and Symantec, two companies who have a massive vested interest in keeping the cybersecurity FUD going, because it helps them sell stuff.

Thankfully, the folks over at Pro Publica decided to take a much closer look at the numbers politicians are relying on in support of the massive "harm" that is already being caused by online security issues... and discovered that the numbers are completely and totally bogus. In fact, the full story (which is fascinating) parallels (very closely) the story with "piracy" stats from the industry.

One popular number is "$1 trillion" in losses due to cybersecurity breaches. That number gets thrown around a lot by politicians (and many in the press who merely parrot such numbers unquestioningly, even as that gives those politicians more cover to claim that there's a reputable source supporting the number). Yet, the Pro Publica report highlights that, not only is this number bogus, but the (quite well respected) researchers who put together the original report for McAfee did not use that number and, more importantly, many of them spoke out publicly with surprise that McAfee put out a press release with such a number -- which they thought was questionable and not supported by their data.

In fact, there were a number of methodological problems, including that the data was based on a self-reported "average" amount of the "worth of sensitive information stored in offshore computer systems." Who knows if the respondents are being accurate, first of all, but even more to the point, the "worth" of such information is a highly subjective number. People can find something "worthwhile" without paying for it, but by focusing on the "worth," they obscure the fact that the market price may be quite different than what people think something is worth. And, what people think something is worth has zero impact on any actual losses. But, from a very small number, McAfee just sprinkled some magic pixie dust on the already questionable number, and proceeded to extrapolate, massively:

“The companies surveyed estimated they lost a combined $4.6 billion worth of intellectual property last year alone, and spent approximately $600 million repairing damage from data breaches,” the release said. “Based on these numbers, McAfee projects that companies worldwide lost more than $1 trillion last year.” The release contained a quote from McAfee’s then-president and chief executive David DeWalt, in which he repeated the $1 trillion estimate. The headline of the news release was “Businesses Lose More than $1 Trillion in Intellectual Property Due to Data Theft and Cybercrime.”

The trillion-dollar estimate was picked up by the media, including Bloomberg and CNET, which expressed no skepticism.

Now, remember, this $1 trillion number is just in the press release. It's not in the report at all. And the report's researchers were just as baffled (and even more concerned) about this:

Among [the study's researchers] was Ross Anderson, a security engineering professor at University of Cambridge, who told ProPublica that he did not know about the $1 trillion estimate before it was announced. “I would have objected at the time had I known about it,” he said. “The intellectual quality of this ($1 trillion number) is below abysmal.”

.... The company’s method did not meet the standards of the Purdue researchers whom it had engaged to analyze the survey responses and help write the report. In phone interviews and emails to ProPublica, associate professor Jackie Rees Ulmer said she was disconcerted when, a few days before the report’s unveiling, she received a draft of the news release that contained the $1 trillion figure. “I expressed my concern with the number as we did not generate it,” Rees Ulmer said in an email. She added that although she couldn’t recall the particulars of the phone conversation in which she made her concerns known, “It is almost certainly the case that I would have told them the number was unsupportable.”

...The news stories got the worried attention of some of the report’s contributors because McAfee was connecting their names to an estimate they had no previous knowledge of and were skeptical about. One of the contributors, Augusto Paes de Barros, a Brazilian security consultant, blogged a week after the news release that although he was glad to have been involved in the report, “I could not find any data in that report that could lead into that number.... I’d like to see how they found this number.”

I don't know about you, but when a super well respected security researcher tells you that the basis of a particular claim is based on a number whose "intellectual quality ... is below abysmal," that's the point at which you should probably stop using the number. But, instead, politicians and the press continue to parrot the line over and over again.

The slightly smaller number, from Symantec, is still equally questionable. They go with $250 billion... but the number has almost no support. It does come from a real Symantec report, but not from Symatec employees. Instead, they hired another firm to magically come up with the number, and it sounds like magic would have been equally as effective as what was eventually done. It raised concerns from actual experts in the field:

“Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population.”

Furthermore, even if we take these numbers at face value, the original reports on both of them say these numbers represent the value of the attacks in question, and not what was actually "lost" or how much it cost to deal with. However, when a politician quotes them, they almost always do so by at least suggesting that these made up "values" are very real "losses" to companies. In other words, the numbers (shocker, shocker) are being twisted by cybersecurity law supporters. For example, just recently, Senator Collins said that General Alexander "believes American companies have lost about $250 billion a year," but that's not true. Already, we know the number is suspect -- but even if we accepted the number, it only represents the "value" that various companies have put on things harmed by security issues, not any sense of actual losses. Claiming that these are losses isn't just misleading, it's wrong.

We've argued for years that actual data should inform the debate on these things -- but that data needs to be accurate and supportable. Unfortunately, with cybersecurity threats, the claims that are being thrown around have no basis in reality. If politicians really want to discuss the "threat" of cybersecurity, the least they can do is get some accurate research on the scope of the problem. Trusting a number from a McAfee press release is not credible and it's certainly no basis for passing a law that wipes out privacy rights of the public.

Permalink | Comments | Email This Story

NSA Chief Says NSA Doesn't Need Access To Your Info... As Whistleblowers Say They're Already Getting It

Mike Masnick — Wed, 11 Jul 2012 09:25:00 PDT

The American Enterprise Institute (AEI) recently held an event about cybersecurity and cybersecurity legislation. The keynote speech was from NSA boss General Keith Alexander. He of course talked about why he supports cybersecurity legislation, such as CISPA and other proposals that will make it easier for the NSA access private content from service providers -- much of which, reports claim, they're already capturing and storing. Alexander has claimed that the NSA doesn't have "the ability" to spy on American emails and such, and reiterates that claim during the Q&A in this session, insisting that the Utah data center doesn't hold data on Americans' emails (and makes a joke about just how many emails that would be to read). That's nice for him to say, but so many people with knowledge of the situation claim the opposite.

In fact, in a story that has received almost no attention, the EFF was able to get three whistleblowers to speak out on the NSA's massive spying infrastructure:

In a motion filed today, the three former intelligence analysts confirm that the NSA has, or is in the process of obtaining, the capability to seize and store most electronic communications passing through its U.S. intercept centers, such as the "secret room" at the AT&T facility in San Francisco first disclosed by retired AT&T technician Mark Klein in early 2006.

So it's interesting to pay attention to what Alexander has to say in pushing for cybersecurity legislation. You can watch the full video below, if you'd like: Much of what he talks about online involves basic malware and hack attacks. These are definitely issues -- but are they issues that we need the military (which the NSA is a part of) to step in on? His "quote" line is that these attacks represent the "greatest transfer of wealth in history." That is a pretty broad statement, and there's almost no evidence to support it. He points to studies from Symantec and McAfee on the "costs" of dealing with security issues -- but remember, those are two of the biggest sellers of security software, and have every incentive in the world to inflate the so-called "costs." Also, seriously? The "greatest transfer of wealth in history"? Has he paid absolutely no attention to what's happened on Wall Street and the financial world over the past decade? Does anyone honestly believe that the amount of money "transferred" due to hack attacks is greater than the amount of money transferred due to dodgy financial deals and the mortgage/CDO mess? That doesn't pass the laugh test.

He does insist that worse attacks are coming, but provides no basis for that (or, again, why the NSA needs your info). In fact, according to a much more believable study, the real risks are not outside threats and hackers, but internal security screwups and disgruntled inside employees. None of that requires NSA help. At all.

But it sure makes for a convenient bogeyman to get new laws that take away privacy rights.

Alexander, recognizing the civil liberties audience he was talking to, admits that the NSA neither needs nor wants most personal info, such as emails, and repeatedly states that they need to protect civil liberties (though, in the section quoted below, you can also interpret his words to actually mean they don't care about civil liberties -- but that's almost certainly a misstatement on his part):

One of the things that we have to have then [in cybersecurity legislation], is if the critical infrastructure community is being attacked by something, we need them to tell us... at network speed. It doesn't require the government to read their mail -- or your mail -- to do that. It requires them -- the internet service provider or that company -- to tell us that that type of event is going on at this time. And it has to be at network speed if you're going to stop it.

It's like a missile, coming in to the United States.... there are two things you can do. We can take the "snail mail" approach and say "I saw a missile going overhead, looks like it's headed your way" and put a letter in the mail and say, "how'd that turn out?" Now, cyber is at the speed of light. I'm just saying that perhaps we ought to go a little faster. We probably don't want to use snail mail. Maybe we could do this in real time. And come up with a construct that you and the American people know that we're not looking at civil liberties and privacy, but we're actually trying to figure out when the nation is under attack and what we need to do about it.

Nice thing about cyber is that everything you do in cyber, you can audit. With 100% reliability. Seems to be there's a great approach there.

Now all that's interesting, because if that's true, then why is he supporting legislation that would override any privacy rules that protect such info? If he really only needs limited information sharing, then why isn't he in favor of more limited legislation that includes specific privacy protections for that kind of information? He goes back to insisting they don't care about this info later on in the talk, but never explains why he doesn't support legislation that continues to protect the privacy of such things:

The key thing in information sharing that gets, I think, misunderstood, is that when we talk about information sharing, we're not talking about taking our personal emails and giving those to the government.

So make that explicit. Rather than supporting cybersecurity legislation that wipes out all privacy protections why not highlight what kind of information sharing is blocked right now and why it's blocked? Is it because of ECPA regulations? Something else? What's the specific problem? Talking about bogeymen hackers and malicious actors makes for a good Hollywood script, but there's little evidence to support the idea that it's a real threat here -- and in response, Alexander is asking us all to basically wipe out all such privacy protections... because he insists that the NSA doesn't want that kind of info. And, oh yeah, this comes at the same time that three separate whistleblowers -- former NSA employees -- claim that the NSA is getting exactly that info already.

So, this speech is difficult to square up with that reality. If he really believes what he's saying, then why not (1) clearly identify the current regulatory hurdles to information sharing, (2) support legislation that merely amends those regulations and is limited to just those regulations and (3) support much broader privacy protections for the personal info that he insists isn't needed? It seems like a pretty straightforward question... though one I doubt we'll get an answer to. Ever. At least not before cybersecurity legislation gets passed.

Permalink | Comments | Email This Story

Intellectual Ventures Files Its First Lawsuits; Giant Patent Troll Awakened

Mike Masnick — Wed, 8 Dec 2010 16:35:00 PST

For years, Intellectual Ventures has avoided suing companies directly, while building up a portfolio of tens of thousands of patents (mostly bought -- though it likes to get PR from the wacky and usually useless patents it files directly). Its business model, to date, has been about shaking down giant tech companies for hundreds of millions of dollars in exchange for letting those companies use IV's patent portfolio either defensively or offensively against others. However, as part of an attempt to avoid the dreaded "troll" label, the company had avoided suing others directly for quite some time -- though, it's always hinted that it would eventually. About a year ago, we started to see IV patents showing up in lawsuits, but they had been licensed to other companies first. The notoriously secretive company would never comment on whether or not it had any stake in the results of such lawsuits.

However, Intellectual Ventures has finally stepped up and filed three separate patent infringement cases against nine companies, including Symantec, McAfee, Trend Micro and others. Of course, some of these companies have a history of questionable patent activity themselves... Still, this seems like IV and Nathan Myhrvold stepping things up a notch. Consider it a warning to other tech companies: if you don't agree to pay hundreds of millions of dollars to Intellectual Ventures, the company might sue you too.

That's not how innovation is supposed to work.

Still, perhaps this will convince more people just how problematic our current patent system is today and how we need to move towards fixing it.

Permalink | Comments | Email This Story

Facebook Requires McAfee Scan If There's A Security Breach? Is This Security Or A Marketing Program?

Mike Masnick — Thu, 14 Jan 2010 15:03:00 PST

sinsi was the first of a few to send in the news that Facebook has new rules if your account is suspended due to a security breach. You will now be required to use McAfee's security software to scan your computer. Have perfectly good security software from Symantec? Too bad. Use Linux? Not sure what you do. While McAfee is offering a free tool for scanning, it's only free for six months and then you have to pay -- meaning that this is really an upsell plan. Facebook claims it chose McAfee after a "competitive review process," but that makes no sense. Why not offer up a list of ways that you can prove your computer is safe that is vendor neutral?

Permalink | Comments | Email This Story

Secretive Patent Holder Sues Lots Of Companies For Remote Activation Software

Mike Masnick — Thu, 17 Dec 2009 01:33:06 PST

Brian points us to the news of yet another questionable patent lawsuit filed by yet another shell company, yet again in Eastern Texas against a ton of software companies. The patent in question (5,222,134) is for a "secure system for activating personal computer software at remote locations," and was originally filed back in 1991 and granted in 1993 -- meaning that the patent is actually nearing end of life. Odd, then, that it was suddenly noticed that all these companies were infringing. The lawsuit is filed by a shell company called BetaNet, and no one seems willing to speak. The lawyers representing BetaNet won't say who is behind the company, or how they even got the patent. This is typical. Many of these types of lawsuits are filed by shell companies to hide who is actually behind them. As for the defendants, here's the list:

Adobe, Apple, Arial Software, Autodesk, Carbonite, Corel, Kodak, IBM, Intuit, Microsoft, McAfee, Online Holdings, Oracle, Rockwell, Rosetta Stone, SAP, Siemens, and Sony.

Obviously, none of those companies could have come up with ways to remotely activate software without this patent (yes, that's sarcasm). As the Register notes in the link above, even some of the software products listed as violating this patent don't seem to involve activation at all, raising serious questions about how they could possibly violate this patent. This sounds like yet another case of someone having read the book Rembrandt's in the Attic and deciding to go trolling for companies to sue with a meaningless patent.

Permalink | Comments | Email This Story

Patent Holder Sues McAfee, Gets $25 Million... But May End Up Losing $5 Million Due To Everyone It Has To Pay Off [Update]

Mike Masnick — Wed, 4 Nov 2009 12:51:00 PST

A few years ago, we noticed the troubling trend of private equity firms raising capital solely for the purpose of investing in patent lawsuits. Basically, these private equity guys saw the ridiculous awards being handed out to patent holders who did nothing, and realized they wanted in on the game. So they raised funds of hundreds of millions of dollars, and basically approached different small patent holders, examined their patents, and basically promised to bankroll lawsuits against companies who actually did stuff, in exchange for a cut of the winnings. One of the biggest players in this space (perhaps the largest outside of Intellectual Ventures) is Altitude Capital Partners.

Joe Mullin has uncovered some of the details of how Altitude works (and how some of these lawsuits work), because Altitude is upset with the amount of money it got back from one of the patent holders whose lawsuit it "invested" in. Note, here, that it does not appear that Altitude invested in the company in question, DeepNines, but specifically in the lawsuit. Altitude gave DeepNines $8 million for its lawsuit in the structure of a loan. DeepNines sued security firm McAfee and worked out an eventual $25 million settlement. How much did DeepNines actually get? Less than $800,000 -- and even that's in dispute. (Updated in the next paragraph).

Basically, because Altitude had a "model" of what it felt DeepNines should get in a lawsuit, and that model popped out a $200 million award, it felt that it didn't get enough. But the breakdown suggests it did fine. DeepNines paid back the loan at a 10% interest clip, plus another $700,000 as its "contingency fee" on the winnings, adding up to $10.1 million. Then DeepNines ended up having to pay its lawyers at Fish & Richardson over $11 million in fees, plus another $1.25 million to local lawyer (and former federal judge) Robert Parker. DeepNines also had to pay additional expenses for travel and other legal costs, adding up to another $2.1 million. In the end, it was left with less than $800,000. Doesn't seem quite worth the effort. (Update: Good discussion in the comments suggesting that the math here doesn't quite add up, and DeepNines may have actually ended up with about $8.8 million, because you have to add the original $8 million investment to the $25 million in counting in the inflow. That makes sense, so the numbers may be off. I was initially relying on the report claiming $800k was leftover, but it may have actually been higher. The rest of the story does make sense however).

Especially since Altitude is demanding another $5.3 million, saying that DeepNines should have calculated its contingency fee based on the overall award, not after subtracting legal fees. Of course, if it did that, then DeepNines -- despite having "won" $25 million, will have lost nearly $5 million on the overall deal. Be careful who you partner with. This should be a huge warning to any patent holders who think about accepting money from a firm like Altitude. Even a $25 million "win" can turn into a huge loss, if you're not careful.

Permalink | Comments | Email This Story

Microsoft Realizes No One Wants To Pay Microsoft To Fix Its Own Security Flaws

Mike Masnick — Wed, 19 Nov 2008 07:11:00 PST

Back in 2005, when Microsoft was first mulling the idea of offering security software, we noted that the company was between something of a rock and a hard place. If it decided to charge for the software, people would accuse the company of trying to get people to pay to protect themselves from the security vulnerabilities in Microsoft's own software. Yet, if they went free, then they would face screams about antitrust violations for undercutting competitors in the security software market. We also suggested a third option: design better software that doesn't need security software. But, failing that, Microsoft chose what I think was the worst of the three options: selling security software. Perhaps not too surprisingly, not too many people took Microsoft up on the offer. It could be a combination of reasons why. First, Microsoft just doesn't have a good reputation when it comes to security. Second, that whole issue of paying the same company that created the security holes in the first place. Finally, it might just be inertia. People buy from McAfee or Symantec because they're two names that have been around forever and are recognized (and, most importantly, bundled on many brand-name computers).

So, after a couple years of failing to make much of a dent in the market, Microsoft has abruptly shifted to option number two. It will no longer be selling its OneCare security software and, instead, will be offering a free security suite for users, though with fewer features than the old OneCare offering. The various security software companies put out statements saying, of course, that this is no big deal, but you have to believe they're now doing whatever possible to stir up some complaints out of the Justice Department that this is an antitrust violation. Maybe a few years down the road Microsoft will simply move on to option three, and make software that doesn't require separate security software.

Permalink | Comments | Email This Story

Yet Another Company Sues Over Being Called Adware

Mike Masnick — Fri, 29 Aug 2008 09:21:00 PDT

We've seen a few such cases in the past -- and they usually end with a judge telling the suing company to shove off, but here we have yet another company upset that its being labeled as an adware/spyware provider. In this case, it's a company called 7Search, which is suing McAfee. 7Search is claiming that McAfee's warning about "downloads" from its site having been "credibly" called adware or spyware are false and defamatory because 7Search no longer offers software for download off its site (though it apparently did in the past).

As Eric Goldman notes in the link above, just bringing these types of lawsuits tends to backfire. As we noted above, they rarely, if ever, win, and simply filing the lawsuit draws much more attention to the company -- often including reports from users about why they do think the software in question is adware or spyware. In the meantime, if 7Search no longer offers downloads, then it's not clear what it's upset about either, since it's not like the McAfee warning is going to stop people from downloading its software -- since, apparently, there's no software to download.

Permalink | Comments | Email This Story

Latest Antivirus Error: McAfee Blocks A Bunch Of Popular Sites As Risky

Mike Masnick — Thu, 3 Jan 2008 18:35:00 PST

A little over a week after Kaspersky's anti-virus software declared Windows Explorer was a virus, it appears that McAfee has had its own mistake, as an anti-virus update from the company started warning people to stay away from a bunch of popular sites, including ESPN, Friendster and Ars Technica. McAfee later admitted that it was a mistake on its end, but it seems that we're seeing these kinds of false positives on a fairly frequent basis these days. It's yet another sign that things need to change in how security software works -- but instead of real advances, it still seems like firms are bogged down with things like pointless patent battles.

Permalink | Comments | Email This Story

McAfee CEO Says New Laws Are Needed To Deal With Cybercrime

Carlo Longino — Fri, 20 Jul 2007 03:22:00 PDT

McAfee CEO Dave DeWalt has been pushing politicians to create new laws to deal with cybercrime. He says cybercrime is now a bigger business than illegal drug trafficking in the US, and that the punishment doled out to cybercriminals isn't an effective deterrent. He may have a valid point there, but new laws and sentencing guidelines don't seem to be the most effective potential tool against computer crimes -- particularly when much of this crime comes from overseas, where being caught and punished by a remote government isn't likely to stop many criminals. DeWalt says that the technical side of security is "pretty advanced", and that government is lagging. But if things really were so rosy in the computer security business, it doesn't seem like there would be much of a need for new laws. He mentions malware and phishing, two areas where he says new laws could help -- but both of these represent areas where security vendors could show some improvements too. Traditional methods, like blacklists, seem to be flagging, so some fresh thinking and innovation in the industry, not just a bunch of new laws, would be beneficial. There are some areas, though, where some stronger deterrents might be useful, such as in getting businesses and government to take the security of personal information more seriously.

Permalink | Comments | Email This Story

How Does The FBI's Spyware Get Around Security Software?

Carlo Longino — Wed, 18 Jul 2007 15:27:00 PDT

A teenager in Washington state got sentenced to 90 days in juvenile detention this week, after he plead guilty to making some bomb threats via e-mail to a high school. It turns out that the FBI nabbed him with a piece of spyware called the Computer and Internet Protocol Address Verifier, or CIPAV. The FBI used the spyware after it had obtained server logs from Google and MySpace, which gave them an IP address that led to an infected computer in Italy. This isn't too surprising, really, but what makes it a little more intriguing is that it's not clear how the FBI slipped the program onto the kid's computer, nor how it evaded detection by anti-virus software. The most likely possibility is that they took advantage of some unpatched vulnerability on the kid's PC, with a browser or plug-in hole exploited by a MySpace web message. The question of evading security software looms larger, though, with CNet's Declan McCullagh wondering if the government persuaded security software vendors to whitelist CIPAV. He said that some vendors said they'd comply with court orders to ignore government or police spyware, and that McAfee and Microsoft wouldn't say if that's what had, in fact, happened here. Meanwhile, Kevin Poulsen over at Wired says that a more likely (and less controversial) explanation is that without ever seeing CIPAV, security software vendors can't make a signature for it, so their systems can detect it.

Permalink | Comments | Email This Story