The FBI's Secret Spyware

Quote:

FBI's Secret Spyware Tracks Down Teen Who Made Bomb Threats

FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News.

The court filing offers the first public glimpse into the bureau's long-suspected spyware capability, in which the FBI adopts techniques more common to online criminals.

The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment.

In an affidavit seeking a search warrant to use the software, filed last month in U.S. District Court in the Western District of Washington, FBI agent Norman Sanders describes the software as a "computer and internet protocol address verifier," or CIPAV.

In the Washington case, the FBI delivered the program through MySpace's messaging system, which allows HTML and embedded images. The FBI might have simply tricked the suspect into downloading and opening an executable file, says Roger Thompson, CTO of security vendor Exploit Prevention Labs. But the bureau could also have exploited one of the legion of web browser vulnerabilities discovered by computer-security researchers and cybercrooks -- or even used one of its own.

"It's quite possible the FBI knows about vulnerabilities that have not been disclosed to the rest of the world," says Thompson. "If they had discovered one, they would not have disclosed it, and that would be a great way to get stuff on people's computer. Then I guess they can bug whoever they want."

FBI Spyware in a nutshell:

The full capabilities of the FBI's "computer and internet protocol address verifier" are closely guarded secrets, but here's some of the data the malware collects from a computer immediately after infiltrating it, according to a bureau affidavit acquired by Wired News.

• IP address
• MAC address of ethernet cards
• A list of open TCP and UDP ports
• A list of running programs
• The operating system type, version and serial number
• The default internet browser and version
• The registered user of the operating system, and registered company name, if any
• The current logged-in user name
• The last visited URL

Once that data is gathered, the CIPAV begins secretly monitoring the computer's internet use, logging every IP address to which the machine connects.

All that information is sent over the internet to an FBI computer in Virginia, likely located at the FBI's technical laboratory in Quantico.

Is this even legal?

How can the Court of Appeals claim that "internet users have no 'reasonable expectation of privacy' in the data when using the internet" when such things as data encryption exist?

Jam it back in, in the dark.

I either expect big legal fuss over this, or I expect the media to try to bury it under the rug, so to say.

How ya doing, buddy?

That is BS I don't want them tracking me and what I do

This thing is sticky, and I don't like it. I don't appreciate it.

This is the tip of the iceberg when it comes to government monitoring programs. You can imagine that if they are releasing this information out in the public, they've had it for quite some time and are likely to have even more advanced surveillance techniques.


Here's a fun little arktikle.
Yes, I know it's a conspiracy website.
No, I don't care.

While some of the conjecture of the author may not be sound, the items he mentions are real. Weeeeeee....

I am a dolphin, do you want me on your body?

lol.

"You have freedom of speech. But that doesn't apply to bad-words."
"We respect your privacy. Just not on the internet."

=I

I was speaking idiomatically.

So the government essentially employ hackers to track down pirates and criminals on the internets. This is surprising to anyone, why? Freedom has become a concept you read about in a book. Has no one paid any attention to the loss of Habeas Corpus, the Patriot Act, the Military Commission Act and all the other shadowy Bills getting signed in by our esteemed dear leader?

What kind of toxic man-thing is happening now?

They probably just sent him freexxxpornhotstufflolinotavirussexywomenbeastiali tysisterfuckedhardreallyreallynotavirus.jpg.scr.ex e.zip.openthisforonemilliondollars.gif.png.exe

FELIPE NO

Originally Posted by JackyBoy

So the government essentially employ hackers to track down pirates and criminals on the internets. This is surprising to anyone, why? Freedom has become a concept you read about in a book. Has no one paid any attention to the loss of Habeas Corpus, the Patriot Act, the Military Commission Act and all the other shadowy Bills getting signed in by our esteemed dear leader?

To be honest, it would seem weird to me if governments didn't employ hackers. The best hackers are the best experts in computer security; I imagine hackers in the sense of 'hardcore computer fanatics' are much more skilled than someone who just finished Computer Pros College. A government, especially at this age, would be pretty helpless and vulnerable without people like that. Of course, it gives conspiracy nuts a lot of ammo, and valid privacy concerns arise as well, but that's quite inevitable.

What, you don't want my bikini-clad body?

When I went on a business trip for work one of my trainer's was telling me that her husband at a very young age (like 15 or so) hacked into some sort of military computer bullshit and moved equipment across the country. They found out it was him and then basically black mailed him into showing them how he did it.

I'm not sure how true the story is, but if it IS true, that's some pretty fucked up shit.

Jam it back in, in the dark.

I think the main problem is that the internet is a worldwide thing. They could essentially spy on people from other countries using this and I could see that landing them in hot water if they piss off another government.

There's nowhere I can't reach.

I think that some people's assertions about hacker's abilities here are correct..they are the best at cracking security. Even if you encrypt your hdwith a long passphrase..with this program they could install a keylogger on your system and send your pass to their own gubmint computers.

In a related note..I recall the devs of Bioshock saying they are doing "online activation" with their release (not sure if its steam), saying it will prevent piracy. I seem to recall the same thing being said by the Half-Life 2 team.

This thing is sticky, and I don't like it. I don't appreciate it.

With this it would appear Anonymous isn't so Anonymous after all, at least in the eyes of the FBI.

I am a dolphin, do you want me on your body?

Originally Posted by Yggdrasil

With this it would appear Anonymous isn't so Anonymous after all, at least in the eyes of the FBI.

lol Anonymous.

It looks like it requires someone to open something in order for this to work, I wouldn't work with anyone that internets with a moderate amount of intelligence/paranoia.

On the other hand, I'm sure they have other tools that work better. This probably works much better then they let on...

Originally Posted by RacinReaver

They probably just sent him freexxxpornhotstufflolinotavirussexywomenbeastiali tysisterfuckedhardreallyreallynotavirus.jpg.scr.ex e.zip.openthisforonemilliondollars.gif.png.exe

loooooooooool.

I was speaking idiomatically.

It just seems like privacy was a luxury to a lot of people once upon a time. It just seems like that one of those days people can't even talk about controversial things.

The internet has been one of the best tools that people have used to express their opinions no matter how they might be perceived by other people. It just seems like with all the spy network, practically everything you say or do is being watched or heard by somebody else.

Its kind of shameful, but I suppose as long as there are people that are in a position of power that think in order for the world to be prosperous they have to be stuck into thinking and being one type of person, it'll only get worse before it gets any better.

Its only a matter of time, and practically every home in every state or province will be wired just to make sure we're not doing anything remotely bad by government standards.

What kind of toxic man-thing is happening now?

Wait. Let me get this straight, if a criminal uses that kind of program it is a violation of my privacy, but if the FBI does it... it is what, ok?

FELIPE NO

Government bodies have authority that private individuals do not? Amerikkka!!!

What, you don't want my bikini-clad body?

Originally Posted by Gumby

Wait. Let me get this straight, if a criminal uses that kind of program it is a violation of my privacy, but if the FBI does it... it is what, ok?

Is including a program that does all of these kinds of things actually illegal? I mean, isn't this pretty much the same thing that Banzai Buddy did?

Jam it back in, in the dark.

I wonder how long till somebody find a way to detect it and remove that BS syware

There's nowhere I can't reach.

Originally Posted by janus zeal

lol Anonymous.

It looks like it requires someone to open something in order for this to work, I wouldn't work with anyone that internets with a moderate amount of intelligence/paranoia.

On the other hand, I'm sure they have other tools that work better. This probably works much better then they let on...

loooooooooool.

In theory, they could exploit a buffer overflow in say, image decoding code. Or the HTML parser. Or corrupt the DOM tree and access a dangling pointer.

Then they could execute arbitrary code on your system, and you're basically hosed. This is exactly the same way people get exploited by spammers and turned into botnet zombies. It happens every day.

It's extremely unethical of the FBI to "hoard" a security vulnerability they know about, for any reason. They should disclose this sort of thing to the vendor.

Full disclosure: I work for a browser vendor.

Most amazing jew boots

Originally Posted by Aardark

Government bodies have authority that private individuals do not? Amerikkka!!!

I'd be a little more comfortable with this idea if they were required to get warrant before they could do this...

I am a dolphin, do you want me on your body?

They are.

Quote:

In an affidavit seeking a search warrant to use the software...

Try reading the OP's source article.

I was speaking idiomatically.

Well, the most important part is this:

Quote:

Under a ruling this month by the 9th U.S. Circuit Court of Appeals, such surveillance -- which does not capture the content of the communications -- can be conducted without a wiretap warrant, because internet users have no "reasonable expectation of privacy" in the data when using the internet.

The evidence they collected wouldn't be admissible under the search warrant if they had collected what he was doing, they were only allowed to track that he was doing something.

If they wanted to find out what he was doing, they would have required a wiretap warrant, which isn't much different from tapping someone's phone.

What kind of toxic man-thing is happening now?

Originally Posted by ramoth

In theory, they could exploit a buffer overflow in say, image decoding code. Or the HTML parser. Or corrupt the DOM tree and access a dangling pointer.

Then they could execute arbitrary code on your system, and you're basically hosed. This is exactly the same way people get exploited by spammers and turned into botnet zombies. It happens every day.

But, the people who the FBI really want to watch use SSH tunnels, proxies, and Linux boxes. When was the last time you heard of a Linux based zombie net?

Why does it seem that the government is putting way to much effort into watching the common citizen?

FELIPE NO

Because non-citizens are the CIA's turf?

What, you don't want my bikini-clad body?

Because, as this case proves, common citizens commit crimes too?

Jam it back in, in the dark.