Wiretap Denied, Malware It Is

Posted by on Apr 21st, 2009 and filed under Legal, Security, Software. You can follow any responses to this entry through the RSS 2.0. You can skip to the end and leave a response. Pinging is currently not allowed.

fbi_logo.gif

Everyone is pilling on the wiretap debacle in a way that makes it look like the government was killing puppies. There are plenty of examples by NYTimes, The Washington Post, CNN, CNET News. I get it, people don’t like to have someone listening while they talk to their mom. But what strikes me as very hypocritical is the positive press the FBI received for spreading malware to spy on people.

CIPAV (CIPAV stands for Computer and Internet Protocol Address Verifier) lets the FBI trick a suspect’s computer into identifying itself to police, much as an exploding dye packet might identify a bank robber.

One document from March 2007 indicates that the FBI originally used a simple technique known as a “Web bug.” Written by the Justice Department’s Computer Crime and Intellectual Property Section, it says “some investigators have begun to use an investigative technique referred to as an ‘Internet Protocol Address Verifier’ (IPAV), a/k/a a ‘Web bug.’”

Then the bureau appears to have shifted to actual software, once known as Magic Lantern (possibly a Trojan Horse) and then CIPAV.

One example of CIPAV’s use came in a March 2006 request to the FBI’s Cryptologic and Electronic Analysis Unit. It said a victim’s Hotmail account is controlled by a suspect who “is extorting the victim because the account had personal info in it. Subject wants victim to set up an e-gold.com account and transfer $10,000 there and then email the userid/pwd to the subject.”

Another was an August 2005 request saying a hacker deleted a company’s database and “is extorting the victim company for payment to restore it.” CNET

So are we now saying that monitoring over the standard phone lines is a horrible no-no, but we can start spreading malware to suspects as we see fit? There is nothing in the article that discuses warrants, and going back to a 2007 article by Wired, a warrant was said to be obtained in that particular case but this was also noted:

Under a ruling this month by the 9th U.S. Circuit Court of Appeals, such surveillance — which does not capture the content of the communications — can be conducted without a wiretap warrant, because internet users have no “reasonable expectation of privacy” in the data when using the internet.

I see the free speech issues with everything, but what honestly scares me is how far does this malware dig? And how easy would it be for someone to take control over it? What are your thoughts on the issue?

Leave a Reply