As I See It: Policeware
August 6, 2007 Victor Rozek
Is it just me or is the Federal Bureau of Investigation running out of clever names for its clever software? I mean, first we had Carnivore, which conjures up something toothy and predatory; then we had Magic Lantern, which evokes mystical, Harry Potteresque powers; and now we have CIPAV, which sounds like, well, like it was written by IBM.
CIPAV is short for Computer and Internet Protocol Address Verifier, and we might never have heard of it if it wasn’t for the foolish antics of Josh Glazebrook. Glazebrook was a troubled student at Timberline High School near Olympia, Washington. Through some combination of boredom and malice, he thought it would be entertaining to threaten to blow up his high school. But although Glazebrook was apparently bright enough to engineer unidentifiable computerized bomb threats, he was not bright enough to understand that not everyone would be amused. Eager to share the digitized menace on his MySpace account–the not so subtly named timberlinebombinfo–he asked over 30 of his fellow students to link to it. That’s when one of the children’s parents notified the county sheriff.
The sheriff found that Glazebrook’s threats weren’t simply generic. As posted by political and technology writer Declan McCullagh at CNET News.com , Glazebrook was also “sending a series of taunting messages from Google Gmail accounts.” Curiously, although the threats were very specific, they showed a poor grasp of elemental math: “There are 4 bombs planted throughout Timberline High School,” Glazebrook warned. “One in the math hall, library hall, and one portable. The bombs will go off in 5 minute intervals at 9:15 am.” Well, perhaps there were only 3 bombs.
Regardless, not having a great deal of experience with computer-based terror threats, the sheriff called in the FBI. The first thing the FBI did was to procure account logs from Google and MySpace. What it found gave credence to Glazebrook’s cleverness and systems savvy. “Both pointed to the Internet Protocol address of 126.96.36.199,” McCullagh reports, “which turned out to be a compromised computer in Italy.”
That’s when the FBI did something almost unthinkable in today’s scofflaw environment: It requested a court order allowing them to unleash CIPAV–in this administration, a rare demonstrable act of respect for the rule of law, for which the agency should be applauded. That’s how we came to know a little bit about the program–from the supporting affidavit the FBI provided the court. In it, according to McCullagh, the agency concludes “that using a CIPAV on the target MySpace ‘Timberlinebombinfo’ account may assist the FBI to determine the identities of the individual(s) using the activating computer.”
The program, according to the agency, would be installed “through an electronic messaging program from an account controlled by the FBI.” Then it would report back Internet Protocol address, Ethernet MAC address, “other variables, and certain registry-type information.” Those other variables included, but were probably not limited to, the operating system type and serial number, the logged-in user name, and the Web URL to which the computer was previously connected.
But exactly how the program works and its full capabilities were kept confidential, for obvious reasons. Thus, questions remained: how does CIPAV actually get onto a target computer? How does it bypass security measures? Does it target flaws in specific operating systems? Can it also capture keystrokes? Are security software providers granting the FBI back-door entry? As the story broke, these and other unknowns appeared to be the chief concerns of the greater IT community.
The analysis by Kevin Poulsen, former blackhat hacker and currently senior editor at Wired, is typical of the concern. Poulsen hypothesizes: “It’s possible that the FBI used social engineering to trick Glazebrook into downloading and executing the malicious code by hand–but given the teen’s hacker proclivities, it seems unlikely he’d fall for a ruse like that. More likely the FBI used a software vulnerability, either a published one that Glazebrook hadn’t patched against, or one that only the FBI knows. MySpace has an internal instant messaging system, and a Web-based stored messaging system. (Contrary to one report, MySpace doesn’t offer e-mail, so we can rule out an executable attachment.) Since there’s no evidence the CIPAV was crafted specifically to target MySpace, my money is on a browser or plug-in hole, activated through the Web-based stored messaging system, which allows one MySpace user to send a message to another’s inbox. The message can include HTML and embedded image tags.”
Discovering how such a program works is both useful and a fascinating challenge for the technically minded, yet the technical aspects of CIPAV are only a fragment of the greater story. And it is, perhaps, the signature story of our time: In an era of maleficent governance, unbridled technology, and ever-present threat, how do we find the balance between preserving personal freedom and ensuring security?
Given the penchant of all governments toward secrecy, how can we even begin to guess what spying technology is available to be deployed against us. There are dozens of organizations, both military and civilian, whose missions are to gather intelligence of one sort or another. They are sustained by billions of dollars budgeted expressly for that purpose, plus an unknown number of black-budget dollars that support classified programs with little or no outside oversight. Even if such a program were disclosed and challenged in court, and even if the court ordered it disbanded, what proof would there possibly be of compliance? Who would be allowed entry to the proverbial secret, undisclosed locations and be given access to classified computer technology in order to verify that a ruling had been enforced.
If the FBI was willing to follow legal procedures in order to install CIPAV on Glazebrook’s computer (and thereby tip its hand), there’s a good chance that CIPAV is not that important a piece of the agency’s snooping puzzle.
With something as vast and unregulated as the Internet, very few of us have guaranteed control of what may be transmitted to our computers once we connect to the digital universe. Defending against hackers is far from foolproof; successfully defending against government intrusion is unlikely even for sophisticated computer users. The issue comes down to trust because verification is all but impossible. Can any government, swollen with power and self importance, be trusted to champion the Bill of Rights and act in the best interests of the nation? Without a greater degree of transparency, the question may be unanswerable. We are rarely privy to the methods or the times when covert surveillance works to our advantage–the times when serious threats are foiled and criminals are apprehended. But nor are we aware of the full range of abuses.
Few, if any, institutions that amass enormous power will voluntarily choose not to exercise it. And those who traffic in secrets tend to believe everyone else has them too. Imagine what the vengeful, suspicious, and reportedly deviant J. Edgar Hoover would have done if he had today’s technology at his disposal.
Checks and balances are the genius of the American system but, ultimately, for the system to work it requires its members to have greater allegiance to the Constitution and the rule of law than to the accumulation and exercise of power.
Mercifully, the Timberline bomb threat turned out to be a hoax. For his creative exertions, Josh Glazebrook was sentenced to 90 days in juvenile detention. As for the FBI, we now know a little more about its surveillance capabilities.
But for those of us who have respect and regard for a society based on checks and balances, and who passionately believe in the sanctity of individual rights, perhaps the most important and overlooked part of this story is not that the FBI has a new generation of spyware, or that a potentially deadly threat was thwarted, but that a powerful and secretive agency weighed in on the side of the Constitution and sought the sanction of the courts before taking action.