tug
Volume 4, Number 29 -- August 9, 2007

As I See It: Policeware

Published: August 9, 2007

by Victor Rozek

Is it just me or is the Federal Bureau of Investigation running out of clever names for its clever software? I mean, first we had Carnivore, which conjures up something toothy and predatory; then we had Magic Lantern, which evokes mystical, Harry Potteresque powers; and now we have CIPAV, which sounds like, well, like it was written by IBM.

CIPAV is short for Computer and Internet Protocol Address Verifier, and we might never have heard of it if it wasn't for the foolish antics of Josh Glazebrook. Glazebrook was a troubled student at Timberline High School near Olympia, Washington. Through some combination of boredom and malice, he thought it would be entertaining to threaten to blow up his high school. But although Glazebrook was apparently bright enough to engineer unidentifiable computerized bomb threats, he was not bright enough to understand that not everyone would be amused. Eager to share the digitized menace on his MySpace account--the not so subtly named timberlinebombinfo--he asked over 30 of his fellow students to link to it. That's when one of the children's parents notified the county sheriff.

The sheriff found that Glazebrook's threats weren't simply generic. As posted by political and technology writer Declan McCullagh at CNET News.com , Glazebrook was also "sending a series of taunting messages from Google Gmail accounts." Curiously, although the threats were very specific, they showed a poor grasp of elemental math: "There are 4 bombs planted throughout Timberline High School," Glazebrook warned. "One in the math hall, library hall, and one portable. The bombs will go off in 5 minute intervals at 9:15 am." Well, perhaps there were only 3 bombs.

Regardless, not having a great deal of experience with computer-based terror threats, the sheriff called in the FBI. The first thing the FBI did was to procure account logs from Google and MySpace. What it found gave credence to Glazebrook's cleverness and systems savvy. "Both pointed to the Internet Protocol address of 80.76.80.103," McCullagh reports, "which turned out to be a compromised computer in Italy."

That's when the FBI did something almost unthinkable in today's scofflaw environment: It requested a court order allowing them to unleash CIPAV--in this administration, a rare demonstrable act of respect for the rule of law, for which the agency should be applauded. That's how we came to know a little bit about the program--from the supporting affidavit the FBI provided the court. In it, according to McCullagh, the agency concludes "that using a CIPAV on the target MySpace 'Timberlinebombinfo' account may assist the FBI to determine the identities of the individual(s) using the activating computer."

The program, according to the agency, would be installed "through an electronic messaging program from an account controlled by the FBI." Then it would report back Internet Protocol address, Ethernet MAC address, "other variables, and certain registry-type information." Those other variables included, but were probably not limited to, the operating system type and serial number, the logged-in user name, and the Web URL to which the computer was previously connected.

But exactly how the program works and its full capabilities were kept confidential, for obvious reasons. Thus, questions remained: how does CIPAV actually get onto a target computer? How does it bypass security measures? Does it target flaws in specific operating systems? Can it also capture keystrokes? Are security software providers granting the FBI back-door entry? As the story broke, these and other unknowns appeared to be the chief concerns of the greater IT community.

The analysis by Kevin Poulsen, former blackhat hacker and currently senior editor at Wired, is typical of the concern. Poulsen hypothesizes: "It's possible that the FBI used social engineering to trick Glazebrook into downloading and executing the malicious code by hand--but given the teen's hacker proclivities, it seems unlikely he'd fall for a ruse like that. More likely the FBI used a software vulnerability, either a published one that Glazebrook hadn't patched against, or one that only the FBI knows. MySpace has an internal instant messaging system, and a Web-based stored messaging system. (Contrary to one report, MySpace doesn't offer e-mail, so we can rule out an executable attachment.) Since there's no evidence the CIPAV was crafted specifically to target MySpace, my money is on a browser or plug-in hole, activated through the Web-based stored messaging system, which allows one MySpace user to send a message to another's inbox. The message can include HTML and embedded image tags."

Discovering how such a program works is both useful and a fascinating challenge for the technically minded, yet the technical aspects of CIPAV are only a fragment of the greater story. And it is, perhaps, the signature story of our time: In an era of maleficent governance, unbridled technology, and ever-present threat, how do we find the balance between preserving personal freedom and ensuring security?

Given the penchant of all governments toward secrecy, how can we even begin to guess what spying technology is available to be deployed against us. There are dozens of organizations, both military and civilian, whose missions are to gather intelligence of one sort or another. They are sustained by billions of dollars budgeted expressly for that purpose, plus an unknown number of black-budget dollars that support classified programs with little or no outside oversight. Even if such a program were disclosed and challenged in court, and even if the court ordered it disbanded, what proof would there possibly be of compliance? Who would be allowed entry to the proverbial secret, undisclosed locations and be given access to classified computer technology in order to verify that a ruling had been enforced.

No one.

If the FBI was willing to follow legal procedures in order to install CIPAV on Glazebrook's computer (and thereby tip its hand), there's a good chance that CIPAV is not that important a piece of the agency's snooping puzzle.

With something as vast and unregulated as the Internet, very few of us have guaranteed control of what may be transmitted to our computers once we connect to the digital universe. Defending against hackers is far from foolproof; successfully defending against government intrusion is unlikely even for sophisticated computer users. The issue comes down to trust because verification is all but impossible. Can any government, swollen with power and self importance, be trusted to champion the Bill of Rights and act in the best interests of the nation? Without a greater degree of transparency, the question may be unanswerable. We are rarely privy to the methods or the times when covert surveillance works to our advantage--the times when serious threats are foiled and criminals are apprehended. But nor are we aware of the full range of abuses.

Few, if any, institutions that amass enormous power will voluntarily choose not to exercise it. And those who traffic in secrets tend to believe everyone else has them too. Imagine what the vengeful, suspicious, and reportedly deviant J. Edgar Hoover would have done if he had today's technology at his disposal.

Checks and balances are the genius of the American system but, ultimately, for the system to work it requires its members to have greater allegiance to the Constitution and the rule of law than to the accumulation and exercise of power.

Mercifully, the Timberline bomb threat turned out to be a hoax. For his creative exertions, Josh Glazebrook was sentenced to 90 days in juvenile detention. As for the FBI, we now know a little more about its surveillance capabilities.

But for those of us who have respect and regard for a society based on checks and balances, and who passionately believe in the sanctity of individual rights, perhaps the most important and overlooked part of this story is not that the FBI has a new generation of spyware, or that a potentially deadly threat was thwarted, but that a powerful and secretive agency weighed in on the side of the Constitution and sought the sanction of the courts before taking action.


                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
ARKEIA

UNIX BACKUP SOLUTIONS

Award-winning
Arkeia Network Backup
for enterprises and SMBs with
heterogeneous networks.

Supports AIX, HP-UX, Solaris and Linux

Hot backup of open databases including Oracle, DB2,
Lotus, MySQL, LDAP and MS-Exchange.

30-day demo with FREE install support!

www.arkeia.com
Editor: Timothy Prickett Morgan
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Vibrant Technologies:  Quality Used Servers, Storage & Networking Hardware at up to 80% off new
World Data Products:  FREE 84-page Unix/Midrange Server Spec Book
COMMON:  Join us at the Annual 2008 conference, March 30 - April 3, in Nashville, Tennessee

The Four Hundred
System i Announcement Wrap Up

IBM Upgrades System i Storage with SAS Drives

Mainframe Vendor BluePhoenix Ready to Purchase ASNA

As I See It: Policeware

The Linux Beacon
AMD Gooses Dual-Core Opteron Speeds, Cuts Prices

IBM Takes Its Own Server Consolidation Medicine

NEC Brings Linux, Windows Clustering Software to North America

As I See It: Policeware

Four Hundred Stuff
IBM Prepares to Launch DB2 Web Query for System i

IBM Details MySQL on System i Offering

CCSS Adds Predictive Capability to System Monitoring Tool

VAI Automates Service Calls, Tightens Inventory Control

Big Iron
IBM Takes Its Own Server Consolidation Medicine

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
Use WDSc to Develop XSL Transformations

Have Your Cake and Eat It, Too

Admin Alert: Getting Around System i Default Passwords, Part 2

System i PTF Guide
August 4, 2007: Volume 9, Number 31

July 28, 2007: Volume 9, Number 30

July 21, 2007: Volume 9, Number 29

July 14, 2007: Volume 9, Number 28

July 7, 2007: Volume 9, Number 27

June 30, 2007: Volume 9, Number 26

The Windows Observer
AMD Gooses Dual-Core Opteron Speeds, Cuts Prices

IIS Gains More Web Server Market Share, Says Netcraft

NEC Brings Linux, Windows Clustering Software to North America

Unisys First Up with TPC-E Benchmark Test

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

MKS
Centrify
Roaring Penguin
Arkeia
Vibrant Technologies



TABLE OF CONTENTS
Sun Polishes Up Sparc T2 Multithreaded Chips

AMD Gooses Dual-Core Opteron Speeds, Cuts Prices

Sun Creates Virtual Tape Library from Thumper Server

As I See It: Policeware

But Wait, There's More:

EPA Says American Data Centers Can Cut Power Use Dramatically . . . Sun to Cut More Jobs, Book Restructuring Charges . . . Server Makers Dominate Tape Market, Says IDC . . . Avocent Debuts Entry Remote Management Appliance for SMBs . . . 'What Gets Measured Gets Managed' Applied to ERP . . . IBM Unveils Virtual E-Mail Security Appliance . . .

The Unix Guardian

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement