How Does The FBI's Spyware Get Around Security Software?

from the cloak-and-dagger-or-point-and-click dept

A teenager in Washington state got sentenced to 90 days in juvenile detention this week, after he plead guilty to making some bomb threats via e-mail to a high school. It turns out that the FBI nabbed him with a piece of spyware called the Computer and Internet Protocol Address Verifier, or CIPAV. The FBI used the spyware after it had obtained server logs from Google and MySpace, which gave them an IP address that led to an infected computer in Italy. This isn't too surprising, really, but what makes it a little more intriguing is that it's not clear how the FBI slipped the program onto the kid's computer, nor how it evaded detection by anti-virus software. The most likely possibility is that they took advantage of some unpatched vulnerability on the kid's PC, with a browser or plug-in hole exploited by a MySpace web message. The question of evading security software looms larger, though, with CNet's Declan McCullagh wondering if the government persuaded security software vendors to whitelist CIPAV. He said that some vendors said they'd comply with court orders to ignore government or police spyware, and that McAfee and Microsoft wouldn't say if that's what had, in fact, happened here. Meanwhile, Kevin Poulsen over at Wired says that a more likely (and less controversial) explanation is that without ever seeing CIPAV, security software vendors can't make a signature for it, so their systems can detect it.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Brian Harris, Jul 18th, 2007 @ 3:45pm

    Am i missing something?

    Once they found an IP in Italy, how did they manage to find him in Washington State?? it was understanding that cooperation with foreign governments around IP's would take months of red tape to cut through, at least that is what i was told at a computer forensics meeting a couple years back which was hosted by Yale.

    Isn't this why most hackers use proxy's outside of the target country?

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    The Truth Beacon, Jul 18th, 2007 @ 4:37pm

    Re: Am i missing something?

    QUOTE: "Isn't this why most hackers use proxy's outside of the target country?"

    If one hacker can hide his steps, what stops another from un-hiding them?

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Jul 18th, 2007 @ 4:40pm

    Remember the thing about cell phones the FBI claimed. They claimed they could listen to any cell phone through its Mic wheather or not the phone is even on. Now they can install spyware on any computer around the world?

    Any one else getting the feeling the FBI is claiming to do things they can't to either cover up their real(and much more sinister or evasive) methods or just to scare potential terrorists and the american public in general.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Jul 18th, 2007 @ 5:07pm

    Re: #3 and snooping government

    I'm not bothered if they claim abilities they do not have; but they certainly were able to do this little trick.

    I am bothered by en masse snooping on ordinary citizens, without probable cause to believe they commited a crime, and/or with no warrant, then sifting through to find some alleged misdead. (I do not refer to the subject of this column, though. He made bomb threats.)

    I don't want the government to have a peep hole into our private lives with the help of Microsoft, McAfee, Intel or anyone else I make a legitimate purchase from.

    In fact, where the hell do these companies get off providing such a back door!

    I thought we lived in a free country - not under a government microscope.

    (they hate us for our freedom?)

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Thomas, Jul 18th, 2007 @ 5:20pm

    My Solution

    Open Source Software.
    Get something like Linux, that way you know what is running on it.
    Not only that, but you could go a step further and make it run your own private whitelisted programs. If so, the only way the FBI could touch you would be for you to let them, or install Wendoze.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Overcast, Jul 18th, 2007 @ 5:29pm

    I'm sure there are plenty of openings for the Government/Corporate Unholy alliance to sneak through.

    They don't even need a warrant!

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Bah who needs one, Jul 18th, 2007 @ 5:53pm

    This FBI act looks like a blatantly illegal search under the 4th amendment. Even assuming they had a wiretap warrant, hacking a suspect's computer (as opposed to simply tapping their phone line or cable and sniffing the traffic on it) appears to violate the Computer Fraud and Abuse Act as well as the suspect's property rights in their machine. In effect, they seized the computer without notice. It's as illegal as if they broke in and removed the computer in the dead of night without all the niceties of showing up in uniform and presenting the owner with a warrant first, or even leaving a note afterward saying they'd served a warrant in the owner's absence or something.

    I think there's scope here for a savvy defense attorney to not only have the "evidence" obtained thrown out of court but to publicly give the FBI a black eye. This type of behavior cannot be tolerated from law enforcement in a free and just society.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    1812lsd, Jul 18th, 2007 @ 6:01pm

    Here Here!

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Economist, Jul 18th, 2007 @ 6:10pm

    FBI Surveillance

    In order to reduce traffic that the FBI has to examine manually, and improve their efficiency, we should probably eliminate much of common English usage.

    For example, it is probably a bad idea to refer to a bad movie as "a real xxxx" where what I have omitted has four letters, beginning and ending with "b".

    Discussion of many Vincent Price movie titles would likely also be unwise.

    The Waltham Massachusetts Debutantes should probably change their initials.

    And we better start referring to it as a "heart event" rather than using words like "axxack" and "sxxzure".

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Charles Griswold, Jul 18th, 2007 @ 6:42pm

    Re: FBI Surveillance

    In order to reduce traffic that the FBI has to examine manually, and improve their efficiency, we should probably eliminate much of common English usage.
    So, we shouldn't refer to a bad movie marathon as a "bomb attack"? OK, noted for future reference.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Shalkar, Jul 18th, 2007 @ 7:29pm

    My Opinion is:

    Well, they scarred the kid in to not taking it to court. In fact, he probably took a plea bargain. After all, he plead "Guilty". So yeah, maybe if he took it to court a good lawyer would have been able to fight it. The thing is though, you think an appointed attorney would be a good one? I doubt he and/or his family even had money for a lawyer. Period.

    Not that he should be let go, but he should have been caught in another way. A more legal and ethical way...

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Just Me, Jul 18th, 2007 @ 8:21pm

    Hmmm.

    While I agree that the methods the FBI employed are a bit shady and perhaps even unconstitutional, you have to at some point weigh the good and the bad. Again, don't misunderstand me; It really pisses me off that they can serruptitiously install spyware on my PC to find out what I'm doing, but in the same vein, they only do that when there is something blatantly illegal going on that they want visibility into. Before 9/11 I'd have been totally opposed to this behavior, but given the good that it can do AND since I don't engage in bomb threats/life threats/kiddie porn/terrorist activities, I'm not worried about what they will find if they happened to spy on my conversations. In fact, it can only exonerate me.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Jul 18th, 2007 @ 8:24pm

    Re: My Opinion is:

    A skilled attorney would have likely taken a case like this pro bono because of the like hood of setting a legal precedent.

    There really isn't much case law (that I'm aware of) on the books related to this kind of invasive evidence gathering. It too bad the kid didn't take it to trial. It could have been a supreme court case.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jul 18th, 2007 @ 8:54pm

    Re: Hmmm.

    I disagree.

    In (something like) the words of Benjamin Franklin: "A society that would give up a liberty to gain security deserves neither and loses both."

    The most important thing we can do in post-9/11 America is to maintain the liberties that have caused us to be the envy of the world... not give them up so that we can be secure.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    meh, Jul 18th, 2007 @ 9:04pm

    Re: Hmmm.

    Are you honestly that short sighted or just retarded. How many years will have to pass before the idiot masses will stop justify government abuse of power in the name of supposed safety. It's not about whether or not I'm doing something illegal it's about not wanting people snooping into my business unless they follow the rules we're all supposed to live by. What right does the government have to pick and choose which laws they are going to inforce, and which they will ignore in the name of the greater good. For those of you wanting to change the privacy laws, read your history fools, I would laugh if you manage to push a change through only to have it used to persecute beliefs you hold that harms no one but doesn't follow the status quo.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    reed, Jul 18th, 2007 @ 9:12pm

    We all know the real story...

    Behind closed doors the US government and MS struck a deal not to break up the company. I wonder what the specifics of that deal was? You scratch my back, I scratch your back. We don't break you up, you build those back doors in for us. Doesn't take a rocket scientist to figure out Bill Gates sold out over 90 % of all computer users.

    Giving up our freedom, especially in concerns to computers which control just about every aspect of our lives was the beginning of the end. Welcome to a world where big brother has complete access to all your stuff at the flick of a button.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    linuxamp, Jul 18th, 2007 @ 9:20pm

    Doesn't this sound a lot like the old Magic Lantern program from 2001?

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Retired Hacker, Jul 18th, 2007 @ 11:10pm

    Wireless is untrackable

    Today's punks aren't computer wizards by a long shot.
    I would worry more about those who leech off random wifi networks from which to commit their crimes.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Enrico Suarve, Jul 19th, 2007 @ 1:37am

    Re: Am i missing something?

    I've got the same problem here - we traced it to an infected PC in Italy then to his machine

    My 2 cents - FBI ring owner of PC in Italy....

    FBI: "Did you know that some kid has infected your machine, turned it into a proxy and is using it to send bomb threats?"

    Pissed off Italian: "No"

    FBI: "We are as annoyed as you are - do you mind if we email you a file to put on your machine which will help identify who it is so we can arrest him? It'll just grab his real IP, OS etc and where the redirected traffic is going to from HTTP headers"

    Pissed off Italian "No"

    FBI: "Thanks"

    (sorry for the bad acting and poor Italian)

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Sean, Jul 19th, 2007 @ 1:49am

    Sneak and Peak

    I think this sort of search would fall under the sneak and peak provisions of Patriot or whatever act is relevant.
    I think too much faith has been given to this teen's "hacker proclivities" (what a phrase!).
    It seems that this program merely reported on the IP address, MAC address etc. All this is public information surely(?) so the expectation to privacy is limited (like dumping private letters in the trash). The article specifically says that the feds didn't record any content.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Max, Jul 19th, 2007 @ 2:27am

    tracking emails

    You don't need the FBI to track people.

    There is a company which offer this Service for everybody!

    http://www.readnotify.com/

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Jul 19th, 2007 @ 6:03am

    Re: FBI Surveillance

    "Waltham Massachusetts Debutantes"

    I'm from Waltham, Massachusetts. Believe me when I tell you, there are NO debutantes there. Some working class princesses and some ethnic hotties, yes; but you'd need to go to some neighboring towns (Belmont, Lexington, Weston, Lincoln) to find any real debutantes.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    wthompson, Jul 19th, 2007 @ 6:06am

    The point

    Not sure what the point of this is...
    Within one paragraph reported AT LEAST second hand, all readers have convicted this kid.
    The FBI crap is icing on this cake folks; it only formalizes the disregard for reason.

    You mean to say that in no one's past are there any actions or angry threats which were NOT REALLY intended for action.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    BTR1701, Jul 19th, 2007 @ 6:34am

    Re: Bah who needs one

    > without all the niceties of
    > showing up in uniform and presenting
    > the owner with a warrant

    FYI: The FBI does not wear uniforms.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Hieronymus, Jul 19th, 2007 @ 6:35am

    If you don't own it, you don't who does or where i

    The problem with email and anonymous proxy servers is that unless you own it yourself, you don't know who has control of it or where it's located (despite what the seller says).

    The thing with encrypted emails is that they will probably attract unwanted attention which defeats the original purpose.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Unknowledgeable Geek, Jul 19th, 2007 @ 6:44am

    Re: Re: Am i missing something?

    I think you have it right. This is almost funny that everyone is slamming the FBI because they stopped bomb threats. What if that kid called a bomb threat into your place of business, would you not want the FBI to stop them? You all are looking at the small picture. What about my rights? What about my rights to be able to go to work and not worry about bomb threats!!

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Raydr, Jul 19th, 2007 @ 6:57am

    How they did it?

    I made a post here explaining how I think they did it:

    http://www.dslreports.com/forum/r18703177-How-they-did-it

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Ryan, Jul 19th, 2007 @ 9:24am

    Re: Hmmm.

    A quote you've probably heard comes to mind.....

    "A person willing to give up freedom for security, neither deserves freedom, or security" .... Benjamin Franklin.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Jul 19th, 2007 @ 9:55am

    Facts... oh why bother?

    Actually, the FBI did have a warrant. Here's the application for that warrant: http://www.politechbot.com/docs/fbi.cipav.sanders.affidavit.071607.pdf

    So, now you can be pissed off at the courts as well as the FBI. Oh, and congress for the Patriot Act. All three branches!

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Robert, Jul 19th, 2007 @ 11:15am

    Unclear?

    It seems that in addtion to loosing our civil liberties we are loosing our imagination too.

    The FBI or any other big brother goverment agency doesn't need to make a 'virus' or to take any advantage of 'vulnerabilities' in PCs to invade our already lost privacy.

    I can think of many ways spyware... or evidence can be planted in computers.

    1. Via any software updates. Microsoft, symantec, itunes, you name it. They know your ISP, IP address and computer profile (MAC addr, registry, hardware list etc)

    2. By using unregistered protocols to connec to PCs. Ethereal, wireshark et all only undersand public protocols. Under the un-patriot act I'm sure all new routers let pass some unknown protocols. The only way to really monitor the traffic is to tap into the physical layer (the wires) and see what flows trough.

    3. Probably relatively new OSes (Vista, OSX, some or all Linux flavors?) already have built in spy functionality.

    The questions are:

    1. To what extent is this spying activity going on?
    2. Are we going to stop looking for terrorists like AQ? or pedophiles, unfaithful husbands/wives, drug dealers, tax chaeaters, Democrats, Catholics and Muslims are next?
    3. Who decides who gets prosecuted like border patrol agents Ramos and Campeon or pardoned like Scooter Liby?
    4. Will the 'spies' misuse the information for their own advantage? Like getting tips on particular stocks or fed interest descicions?

    I can go on and on.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Deli Laama, Jul 19th, 2007 @ 11:28am

    Re: Re: #3 and snooping government

    No, they hate you because you're retarded.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Deli Laama, Jul 19th, 2007 @ 11:33am

    Re: Facts... oh why bother?

    Shhh...! If you start posting facts no one will be able to wrap themselves in righteousness indignation.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Reed, Jul 19th, 2007 @ 11:52am

    Re: Unclear?

    3. Probably relatively new OSes (Vista, OSX, some or all Linux flavors?) already have built in spy functionality.

    We know MS made a deal with the government in order to keep operating the way they do. MS also created and developed spyware as a marketing tool (Through 3rd party developers).

    OSX? I don't know about that, but because they are a single company it would be easy to put pressure on them.

    Linux? I doubt considering how many different versions there are and the fact that people all over the world code and check code that our government could force a back door in. On a side note there are always ways into a system if you know what your doing.

    Handing over that info or creating a back door for the government in the name of security is extremely flawed reasoning.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    SailorRipley, Jul 19th, 2007 @ 12:04pm

    Re: Re: Facts... oh why bother?

    "Shhh...! If you start posting facts no one will be able to wrap themselves in righteousness indignation."

    oh please, the Patriot in and by itself is more than enough for any intelligent, good citizen to wrap him-/herself in righteous indignation.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Chipwhisperer, Jul 20th, 2007 @ 4:13pm

    I don't think this is any big mystery at all. They tracked the incoming IP on the Myspace page, and it was an infected computer in Italy. The infected computer in Italy OBVIOUSLY had lots of ports open with various programs "listening", so the Feds just sent a trojan down the appropriate port after scanning the ports on that machine. Once settled in, they then sat back and occasionally perused the logs that their trojan in Italy sent regularly to Virginia. And of the incoming IPs shown in the log, an obvious one stuck out: a residential IP in the state of Washington. Wow, what a coincidence.

    Now, legally they are covered. The federal trojan did no damage to the target computer, and one can legally make the case that when you are "on the internet" you are on a public medium and cannot have any expectation of privacy, and the federal trojan only monitored for criminal activity and all other log entries are disregarded.

    Pretty much basic stuff, yawn.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    facing backwards, Aug 17th, 2007 @ 1:30pm

    Re: Re: Hmmm.

    Since 911 we can now observe, the terrorists won. Politicians use terror to win votes. Companies use terror to gain contracts. We have given up many liberties in the name of security and gained neither liberty or security. We have to remove shoes and belts at the airport along with discarding watter bottles! THE TERRORISTS HAVE WON!

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Carol Stein, Oct 25th, 2007 @ 2:52pm

    "hacking" NON-connected PCs

    If you search for me online, you may discover that I wrote a paper a few years back for AI-Depot. In this I advised that anyone who has critical information on a PC that isn't just stored Web pages (etc.) should use both an online PC and an offline PC. Since I am a writer, I have been doing this for sometime. A very cheap used PC works just fine as the offline machine (unless you play processor-intensive online games, I suppose).

    Well, first my online PC was hacked, to the point I could no longer connect to the Web (via cable modem). Then, more recently, my OFFLINE pc (a one-year-old Cisnet running Win XP) became unable even to boot up. Previously it had been gradually deteriorating, so that (for example) no devices at all were listed under System/Devices).

    After a 2-month hiatus, I am now back online as of today. I'm using a $70 second-hand PC (from Goodwill), plus a free MEPIS 6.5 CD that allows one to try the system before installing it, plus an expensive high-speed cable connection. I have also placed lead sheeting (on cardboard panels) around the business end of the PC, as an added precaution. I had done this with the XP system, but too late, I think, though I suspect the last killing infection occurred during "breaking and entering" of my apartment.

    My system is running from the CD drive, and I'm not even going to try to format the HD -- I'm literally afraid the feds or whichever hacker this is will pack it with something like child porn if I do! They already tried to frame me once, I think with drugs in a plastic bag.

    Be afraid. I am absolutely positive the FBI will break and enter illegally, since it's been happening to me. They have even incited other residents of my building to keep track of me if I leave my apartment, so I don't leave unless a friend is "house-sitting" now. Btw, I'm disabled, getting $623/month through SSI, and this has been going on for 9 months now!!!

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, Oct 25th, 2007 @ 2:57pm

    Oops, I meant to say the cheap used PC can be the online PC, not offline PC.

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Murat, Oct 31st, 2007 @ 2:21am

    Any one else getting the feeling the FBI is claiming to do things they can't to either cover up their real(and much more sinister or evasive) methods or just to scare potential terrorists and the american public in general.

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    Carol Stein, Mar 12th, 2008 @ 12:41pm

    update

    It turns out the problem is much worse than I suspected. The FBI is able to (1) enter 'dangerous' "foreign destination" IP addresses into my PC as shown by netstat lanap listings, even when router and cable modem are both unpowered, (2) at one point they were messing up IPTABLES, again from another PC (located within 10-15' of mine, in another apartment), (3) when I shutdown my MEPIS 6.5 system (still running from CD-ROM, with NO storage available) -- even if I've only booted up and then shutdown immediately after logging on -- I get a message that OpenBDS Shell Server is shutting down. Hmmmmm.

    They still won't go away, are still illegally messing with my PC from upstairs, and I can't get them to negotiate or even tell me what they want. The ONLY way I can be rid of them, apparently, is to tell everyone everything I know about what they're doing. Okay, then.

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Mithell, Jan 20th, 2010 @ 8:53am

    Have you never seen an episode of 24? Those government super spies can do anything, and do it quickly! There must be some deal with the security software companies or some exploit they hacked into with their collective brainpower, because as mentioned, this should not be so easy to do...

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This