The following text is copyright 2009 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

 

The FBI as an ethical hacker?

 

By: Scott Bradner

 

More details are now coming out on how the US Federal Bureau of Investigation (FBI) engages in hacking and the planting of spyware. This story goes back to at least last 2001 when Bob Sullivan of MSNBC and Ted Birdis of AP broke the story of Magic Lantern.  At the time the FBI did not want to say much but now there is some real information.  More information came out in 2007.  (seehttp://www.networkworld.com/news/2007/071907-fbi-planted-spyware-on-teens.html) The new information clears up some things but, if anything, reinforces some real concerns over this approach.

 

Law enforcement is faced with some very hard problems when it tries to find and get evidence on bad guys. There are a lot of tools that you & I can use to make our Internet lives safer when doing business on the net or to protect our privacy if we need to blow the whistle on someone or communicate with a support group.  These same tools can also be used by the bad guys.  You should be using encryption on your own computers so that your personal or business records are not compromised if your computer is stolen.  You can use anonymizing proxies (e.g. http://www.freeproxy.ru/en/free_proxy/cgi-proxy.htm) or anonymizing networks (e.g., http://www.torproject.org/) if you are a dissident living in a repressive society or would like to visit a mental health support group.  These are important tools when used by the good guys and make life harder for law enforcement when used by the bad guys.  Note that both of these technologies are far too important to give up just to make the job of law enforcement easier. 

 

But law enforcement does need to overcome tools of this type if they are to catch the people they are after.  This is where Magic Lantern, and its less prosaically named successor, "Computer & Internet Protocol Address Verifier" (CIPAV) come in.  These systems are officially sanctioned spyware, theoretically only used when permitted by the courts (in the US at least). 

 

Wired.com was able to get a bunch of documents on CIPAV under the Freedom of Information Act.  (See the Wired article at http://blog.wired.com/27bstroke6/2009/04/fbi-spyware-pro.html

and the documents at  http://blog.wired.com/27bstroke6/2009/04/get-your-fbi-sp.html)  You can get a clear picture of the use of CIPAV on pages 64 to 80 of the documents.  After being surreptitiously installed on your computer by exploiting some software bug, CIPAV sends the FBI information about your computer then starts monitoring computer activity.  Software like this is used by bad guys to steal your bank account passwords, in this case the FBI can use it to find your encryption keys.  Also, since your computer sends its actual location and other information directly to a FBI computer, using an anonymizing proxy will not hide you.  But something like Little Snitch (http://www.obdev.at/products/littlesnitch/index.html) may let you know that something funny is going on.

 

A very useful tool for law enforcement and, assuming it is properly applied, good for society.  But, even making the assumption that CIPAV will always be properly applied there are some real problems with it. 

 

The FBI depends on exploiting software bugs to install CIPAV.  I would like my software vendors to fix bugs that would let in spyware even if it makes life hard for the FBI - I hope that the software vendors are not leaving bugs unfixed or purposeful back doors just to help the FBI because sooner or later the bad guys will find them and exploit them - maybe even against the FBI.  Also I'd like my antispyware software to find and report on all spyware but there have been reports that some of the antispyware companies have agreed to ignore the FBI spyware.  This provides a great opportunity for the bad spyware developers to create software that looks enough like the FBI spyware that the antispyware software will ignore it as well.

 

I do not know what the right answer is to law enforcement's problems but I would like it not to be to facilitate bad guys taking over machines all over the world just to make it easier for a particular bad guy to be caught.

 

disclaimer: Facilitating bad guys is not an explicit Harvard goal but one can not control one's graduates.  In any case Harvard has not expressed an opinion on CIPAV that I know of so the above review is mine.