Skip the navigation

The FBI as an ethical hacker?

By Scott Bradner
April 21, 2009 12:00 PM ET

Network World - More details are emerging about how the FBI engages in hacking and the planting of spyware.

This story goes back to at least 2001 when Bob Sullivan of MSNBC and Ted Birdis of AP broke the story of Magic Lantern. At the time the FBI did not want to say much, but now there is real information that clears up some things and reinforces real concerns over this approach.

Law enforcement is faced with some very hard problems when it tries to find and get evidence on bad guys. There are a lot of tools that you and I can use to make the Internet safer when doing business on the 'Net or to protect our privacy if we need to blow the whistle on someone or communicate with a support group. You should be using encryption on your own computer so that your personal or business records are not compromised if your computer is stolen. You can use anonymizing proxies or anonymizing networks  if you are a dissident living in a repressive society or would like to visit a mental health support group. These are important tools when used by the good guys, but make life harder for law enforcement when used by the bad guys.

Though note that both of these technologies are far too important to give up just to make law enforcement's job easier.

Still, law enforcement needs to overcome tools of this type if they are to catch the people they are after. This is where Magic Lantern, and its less prosaically named successor, "Computer & Internet Protocol Address Verifier" (CIPAV), come in. These systems are officially sanctioned spyware, theoretically only used when permitted by the courts (in the United States at least).

Wired.com was able to get a bunch of documents on CIPAV under the Freedom of Information Act that help to explain it. (See the Wired article here and the documents here.) You can get a clear picture of the use of CIPAV on pages 64 to 80 of the documents. After being surreptitiously installed on your computer by exploiting some software bug, CIPAV sends the FBI information about your computer then starts monitoring computer activity (software like this is used by bad guys to steal your bank account passwords.). In this case, the FBI can use it to find your encryption keys. Also, because your computer sends its actual location and other information directly to an FBI computer, using an anonymizing proxy will not hide you. (But something like Little Snitch may let you know that something funny is going on.)

Reprinted with permission from NetworkWorld.com. Story copyright 2012 Network World, Inc. All rights reserved.
Our Commenting Policies