This story appeared on Network World at

This story appeared on Network World at
http://www.networkworld.com/columnists/2009/042309bradner.html

The FBI as an ethical hacker?

FBI's CIPAV spyware makes it harder for bad guys to hide, but there are issues with approach

'Net Insider By Scott Bradner , Network World , 04/21/2009

More details are emerging about how the FBI engages in hacking and the planting of spyware.

This story goes back to at least 2001 when Bob Sullivan of MSNBC and Ted Birdis of AP broke the story of Magic Lantern. At the time the FBI did not want to say much, but now there is real information that clears up some things and reinforces real concerns over this approach.

Law enforcement is faced with some very hard problems when it tries to find and get evidence on bad guys. There are a lot of tools that you and I can use to make the Internet safer when doing business on the 'Net or to protect our privacy if we need to blow the whistle on someone or communicate with a support group. You should be using encryption on your own computer so that your personal or business records are not compromised if your computer is stolen. You can use anonymizing proxies or anonymizing networks if you are a dissident living in a repressive society or would like to visit a mental health support group. These are important tools when used by the good guys, but make life harder for law enforcement when used by the bad guys.

Though note that both of these technologies are far too important to give up just to make law enforcement's job easier.

Still, law enforcement needs to overcome tools of this type if they are to catch the people they are after. This is where Magic Lantern, and its less prosaically named successor, "Computer & Internet Protocol Address Verifier" (CIPAV), come in. These systems are officially sanctioned spyware, theoretically only used when permitted by the courts (in the United States at least).

Wired.com was able to get a bunch of documents on CIPAV under the Freedom of Information Act that help to explain it. (See the Wired article here and the documents here.) You can get a clear picture of the use of CIPAV on pages 64 to 80 of the documents. After being surreptitiously installed on your computer by exploiting some software bug, CIPAV sends the FBI information about your computer then starts monitoring computer activity (software like this is used by bad guys to steal your bank account passwords.). In this case, the FBI can use it to find your encryption keys. Also, because your computer sends its actual location and other information directly to an FBI computer, using an anonymizing proxy will not hide you. (But something like Little Snitch may let you know that something funny is going on.)

CIPAV is a very useful tool for law enforcement and, assuming it is properly applied, good for society. But, even making the assumption that CIPAV will always be properly applied, there are real problems with it.

The FBI depends on exploiting software bugs to install CIPAV. I would like my software vendors to fix bugs that would let in spyware even if it makes life hard for the FBI. I hope that the software vendors are not leaving bugs unfixed or purposeful back doors just to help the FBI, because sooner or later the bad guys will find them and exploit them -- maybe even against the FBI.

Also I'd like my antispyware software to find and report on all spyware, but there have been reports that some antispyware companies have agreed to ignore the FBI tool. This provides a great opportunity for spyware developers to create software that looks enough like the FBI program so that the antispyware software will ignore it as well.

I do not know what the right answer is to law enforcement's problems, but I would like it not to facilitate bad guys taking over machines all over the world.

Disclaimer: Facilitating bad guys is not an explicit Harvard goal, but one cannot control one's graduates. In any case, Harvard has not expressed an opinion on CIPAV that I know of, so the above review is mine.