FBI-CIPAV.exe is an unknown application. Install anyway?
July 20, 2007 12:35 PM   Subscribe

FBI's CIPAV nabs first victim: Former Timberline High School student is the first (known) person to be caught by the FBI's secret spyware program, known as CIPAV (Computer and Internet Protocol Address Verifier). Wired broke the story Wednesday, then received a form letter from the FBI in response to a few key questions. (more inside)
posted by mrgrimm (27 comments total) 1 user marked this as a favorite
First, headline attribution. Next, the CIPAV affadavit. If you're wondering how CIPAV gets past security software, How does CIPAV work? (also Wired). Also, Will security firms detect police spyware? (News.com).

Interesting line from original Wired article: "Under a ruling this month by the 9th U.S. Circuit Court of Appeals, such surveillance -- which does not capture the content of the communications -- can be conducted without a wiretap warrant, because internet users have no "reasonable expectation of privacy" in the data when using the internet."
posted by mrgrimm at 12:35 PM on July 20, 2007

Isn't it inevitable that the program will be deliberately captured and reverse-engineered to find new vulnerabilities? Someone could cook up a really nasty worm based on this.
posted by topynate at 12:45 PM on July 20, 2007

I hate the term "reasonable expectation of privacy." Its subjectiveness is excruciatingly obvious, but it's also vulnerable to circular reasoning. If it's possible for law enforcement to monitor a medium, then there's no reasonable expectation of privacy, therefore it's legal for law enforcement to monitor the medium.

It should be "reasonable desire for privacy" for legal purposes, in my opinion. If we're forced to resort to subjectiveness, at least that's a less fallacious approach.
posted by Riki tiki at 12:47 PM on July 20, 2007 [4 favorites]

Next time, Josh will remember to use Knoppix.
posted by four panels at 1:00 PM on July 20, 2007

"reasonable expectation of privacy"

NObody expects the Spanish Inquisition.
posted by psmealey at 1:06 PM on July 20, 2007

Couldn't it simply be a remote image link hosted on the FBI's server? For instance, if you click this link, I can check my logs and find your IP address.

If I posted such an image to a MySpace page, I could check the logs and see which IP addresses accessed the image.
posted by odinsdream at 1:23 PM on July 20, 2007

The next step presumably would be to make the use of anti-spyware software illegal? Could easily be seen as interfering with police business, I'd think...
posted by Aversion Therapy at 1:24 PM on July 20, 2007

Did you mean the Wednesday link to duplicate the first link?
posted by Pronoiac at 1:32 PM on July 20, 2007

I knew there was a good reason to not accept the friend requests from all those "girls". I knew they were government agents trying to go after my trix.
posted by Stynxno at 1:40 PM on July 20, 2007

Couldn't it simply be a remote image link hosted on the FBI's server?

No, that wouldn't capture nearly as much information as this thing does, according to the article. That might well how they identified his machine in the first place, though.

Just another reason to run as a non-administrator.
posted by me & my monkey at 1:44 PM on July 20, 2007 [1 favorite]

Sanders wrote that the spyware program gathers a wide range of information, including the computer's IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer's registered owner and registered company name; the current logged-in user name and the last-visited URL.

The CIPAV then settles into a silent "pen register" mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every computer to which the machine connects for up to 60 days.

Damn, that's a lot of data. I wonder what criteria they use to decide when to deploy this sucker? I'm not gonna lie, I've been a die hard PC user (read noob if you like) since a young age but my next comp might just be a Mac.

What are the chances that they have a similar program ready to deploy against Apple systems? "Buy a Mac" seems like such an easy workaround to this that I don't think the FBI would let it slide.
posted by baphomet at 2:02 PM on July 20, 2007

The FBI knows that people with macs just post outraged blog links instead of actually committing crimes.
posted by klangklangston at 2:13 PM on July 20, 2007 [2 favorites]

No video games for two years? That is cruel and unusual punishment for a teen. Maybe he'll take up a real world game like chess or mail box baseball or something.
posted by robtf3 at 2:25 PM on July 20, 2007

They probably don't [feel they] need to get a warrant to install the software. I wouldn't put it past them to violate the trust relationship here. So I think the FBI rootkit is a bad thing.
posted by nervousfritz at 2:31 PM on July 20, 2007

I would very much like to do a man in the middle on a machine infected with this. Both for IP's and to see if that's really all it sends.
posted by IronLizard at 3:27 PM on July 20, 2007

Currently, the word being spread around the intarwebs is that the FBI uses Macs.

Whether they've figure out a way to exploit Mac OS X in the same way they've known how to exploit Windows is a whole different question, however, there are some things that you can do on pretty much any machine to get access to the information they are tracking. Most of it is a simple port scan and port sniffer. They probably can't get around a proper NAT/Firewall/Router such as a Sonicwall or Cyberguard, but they can at least tell you what kind of browser you are using based on log tracking from a server.

But, you know, I never set anything up like that before because I was asked to catch someone doing something on my network or anything like that...
At least not recently...
posted by daq at 4:06 PM on July 20, 2007

If you're not pinging anything wrong, you have nothing to worry about.
posted by wfrgms at 7:42 PM on July 20, 2007

Proof-of-concept exploits for Safari and Firefox have been demonstrated, but I'm not sure if there are any currently out in the wild. If they are, people are keeping fairly quiet about them.

I suspect that if you made it obvious what hardware and software configuration you were using, a suitably motivated opponent (like, say, the FBI) staffed by non-script-kiddies could probably turn up a new vulnerability in fully-patched software, given enough time to work. (The Safari vulnerability mentioned above was discovered after about 9 hours of concerted effort by some smart people. It has since been patched in an update.) So I don't think it's smart to be overconfident simply based on one's choice of OS or browser.

And much as I'm not a fan of security through obscurity, it's probably also advantageous, if one is using a configuration other than IE on Windows, to keep quiet about it (by which I mean both not mentioning it to other people, and setting the USER AGENT string to something else, like IE). At the very least that might give someone on the other end some more problems to solve -- although there are scripts that you can embed in a page to figure out the browser type based on rendering quirks that would let the cat out of the bag eventually.

Software that constantly watches everything that's running on your system and requesting outbound connections (most software firewalls on the PC, Little Snitch or Glow Worm on the Mac, or "lsof" on *NIX) should probably also be standard equipment for anyone these days. Not just those worried about the FBI, but anyone worried about people with similar capabilities and more nefarious intentions. (Though if you pick up a rootkit, it can easily disable monitoring software.)
posted by Kadin2048 at 8:51 PM on July 20, 2007

Does Vista User Account control prevent this kind of thing happening without permission?
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 9:28 PM on July 20, 2007

No, there have already been a few vulnerabilities that bypassed it. There was also supposedly something called bluepill, but apparently it's avenue of entry was patched out of existence.
posted by IronLizard at 10:04 PM on July 20, 2007

So, for a computer idiot, explain how law enforcement would plant this software on someone making bomb threats. Wouldn't the user have to actively click on something? Most malicious code requires the user to do something dumb in order for it to get installed. Would this be the same sort of thing?
posted by Crotalus at 10:38 PM on July 20, 2007

This one (for example):

MS07-010 - Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution

Requires only the opening of a PDF on a desktop. On an exchange server, it doesn't require you to do anything.

I'm sure if you dig around the last few years you'll find at least fifty like it. Or worse.
posted by IronLizard at 11:05 PM on July 20, 2007

It should be "reasonable desire for privacy" for legal purposes, in my opinion. If we're forced to resort to subjectiveness, at least that's a less fallacious approach.

You're going to have trouble defining what a "reasonable" desire is without referring to people's ordinary expectations.
posted by Mr. President Dr. Steve Elvis America at 11:54 PM on July 20, 2007

NObody expects the Spanish Inquisition.

posted by Many bubbles at 2:36 AM on July 21, 2007

Cripes, didn't this guy see "Hackers":

PHREAK: What are you, stoned or stupid? You don't hack a bank across state lines from your house, you'll get nailed by the FBI. Where are your brains, in your ass? Don't you know anything?

CEREAL KILLER: Stupid, man. It's universally stupid.
posted by Mitheral at 6:12 PM on July 21, 2007

« Older Children of God film to premiere September 6 on...   |   2007 Venice Biennial Newer »

This thread has been archived and is closed to new comments