FBI, CIPAV, and the Windows Back Doors Revisited

Dr. Roy Schestowitz

2009-04-21 11:30:40 UTC
Modified: 2009-04-21 11:30:40 UTC

Summary: How (and why) the American secret services rely on Windows

THE back doors in Microsoft Windows are a serious issue that we've already covered, so there is no point doing it again. Adding to what we already know, there is now this report from Wired Magazine and another from IDG:

CIPAV spyware helped nab unemployed engineer angry over outsourcing

There is also a discussion at Slashdot and one reader of ours wrote: "A good question to ask is, what is it about Windows that allows CIPAV to be so easily activated? Does it even require visiting a contaminated Web site (see the Slashdot article)? What is it in Windows that allows such features?" Here is some relevant information which this reader sent to us:

CIPAV, which stands for "Computer and Internet Protocol Address Verifier," is secret surveillance software that the FBI used last month to help identify whoever was e-mailing bomb threats almost daily to a Washington high school.

[...]

The only clue in the affidavit is that the CIPAV would operate as a pen register for up to 60 days after the software had been "activated" by the recipient. In other words, the FBI swore that the monitor would "time out" after 60 days. But not that it would delete itself or not be able to spread in some worm or bot fashion.

This post neither defense nor criticism of malicious and dangerous behaviour that the FBI is rightly intercepting. It is merely recognition of the operation of Microsoft Windows.

It is not news that the FBI uses Windows viruses (there were several articles about it last year) and the DHS, which recently recruited Microsoft after pressure from the BSA, is now recruiting hackers. ⬆ ________ [1] FBI remotely installs spyware to trace bomb threat

While there's been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn't said much about it since. € €

[2] FBI ducks questions about its remotely installed spyware

There are plenty of unanswered questions about the FBI spyware that, as we reported earlier this week, can be delivered over the Internet and implanted in a suspect's computer remotely.

[3] FBI to Notify Microsoft Windows Users Who Were Victims of Botnets

The Department of Justice and FBI have announced the results of an ongoing cyber crime initiative to disrupt and dismantle “botherders” and elevate the public’s cyber security awareness of botnets.

[4] FBI: Operation Bot Roast finds over 1 million botnet victims

The Department of Justice and FBI Wednesday said ongoing investigations have identified more than 1 million botnet crime victims.

Comments

Yggdrasil

2009-04-22 00:30:09

You are misleading people, again. You should have cited this from the Computer World article:

"Some user action was CLEARLY REQUIRED to infect the PC with the CIPAV. In the warrant application, the FBI used the term activate several times and alluded to a spyware plant failure if the target did not trigger the CIPAV through the targeted MySpace account. MySpace accounts can't receive traditional e-mail, so one hacker standard -- attach the CIPAV to a message and hope the recipient is stupid enough to launch it -- wasn't available"

Exactly. If you want to infect a Linux users, it's as simple as sending them some program and getting them to run it. You also mention Slashdot, but of course, you only mention comments that would be critical of Microsoft. How about these comments instead? Both of which received high rankings.

"What makes you think they don't have a variant for Linux? User stupidity (i.e: bad/no security) isn't unique to Windows. Off the top of my head, if they are relying on the web as an infection vector combined with user stupidity, why not write it into a Firefox extension?

Yeah, it wouldn't get your typical /. geek, but most criminals aren't known for their foresight or intelligence. "Oh, the private website with the bank account information needs me to install this software! Ok, what could possibly go wrong?"

In response to that:

"This is an excellent statement. Stupidity knows no bounds. Its also dangerous to assume that the FBI doesn't know what it is doing. When I worked in law enforcement, the FBI computer crimes agents I knew were well versed in operating systems other than Windows. The two I worked with most often had a solid knowledge of Linux and Cisco IOS."
Roy Schestowitz

2009-04-21 16:14:32

There's this recent incident.
The Mad Hatter

2009-04-21 16:03:18

Based on what I've read, you are regarded as a probable threat if you run an OS or Web Browser that CIPAV cannot infect. The reasoning seems to be that if you have made the choice to run Linux/OSX or use Firefox/Opera on Windows instead of Internet Exploder, you must have something to hide.

No, I don't have details or a link, I remember reading this a while back somewhere, and now can't remember where.
Brian Assaf

2009-04-24 00:53:06

"If you want to infect a Linux users, it’s as simple as sending them some program and getting them to run it."

Um. That easy huh? By default files aren't executable, so it would require changing the permission. It would also need to be run as root to infect the whole system. How about dependencies? How about architecture differences. Just x86 or 64-bits? MIPS? Arm? So on and so forth. Linux isn't a monoculture (no pun intended here guys/gals!) like the Windows ecosystem is.

Even a pre-packaged deb (which can be installed ala double click in Ubuntu) would ask for a password, and again, wouldn't be viable for every Linux distribution out there, architecture not withstanding.

Having to run something out of the blue is odd if you use a package management system. Cryptographically signed, easily installed/uninstalled and updated (and source available for those interested.)

Although maybe I'm alone in the 24,000+ packages available in Ubuntu being enough for regular computer use.

My point here is I've unlearned a habit, there is no need to grab software willy nilly off the net. Instead check the repos, and check the source of software. Do you trust it, etc and why should I install this. Plus does it behave like a rootkit, if so then it can be scanned for, if this really does become some sort of popular vector...

So, yes, you could use social engineering to get someone to install something, but the process should set off a red flag in the user. There isn't some autorun or double click deal here. For those users that understand binaries are a blackbox, where no one can inspect, change, etc. anything, install at your own risk.

Gemini Links 19/06/2025: Unix Primitivism, Zine Club, and Gemini Protocol Turns 6 at Midnight: Links for the day
Links 19/06/2025: WhatsApp Identified as Assassination 'Crosshairs', Patreon Now Rips Off People Even More: Links for the day
"Told You So": Another Very Large Wave of Microsoft Layoffs Now Confirmed in Mainstream Media: So we were right to believe the rumours, based on the credibility of prior such rumours
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Wednesday, June 18, 2025: IRC logs for Wednesday, June 18, 2025
Gemini Links 18/06/2025: Magit and Farming: Links for the day
Slopwatch: BetaNews is Now a Slopfarm (Like Linuxsecurity) and Google News is Overwhelmed by Slopfarms: The Web is bad
Links 18/06/2025: SCOTUS Decision on Fentanylware (TikTok) Still Ignored, 4.5-Day Work Weeks: Links for the day
Links 17/06/2025: Windows TCO and G7 Rifts: Links for the day
The Right to Know and the Freedom to Report on Crime (at the Higher Echelons): I'd like to do the same thing for the next 20 years
BetaNews Appears to Have Fired All Of Its Staff: Even serial sloppers
After the Web Becomes Slopped to Death: A lot of people are rightly fed up with the "modern" Web
Gemini Protocol Turns 6 on Friday: Active (online) Gemini capsules are estimated by Lupa at over 3,000
Microsoft's Windows is a Niche Operating System in Africa: African nations aren't a large contributor to Microsoft's income, but if many African nations move away from Windows, then the monopoly is at risk
Like Most Social Control Media, Microsoft LinkedIn is Collapsing: One reason for Microsoft acquisitions is debt-loading, i.e. offloading and burying its debt
Microsoft is Losing Its Richest Clients: Unlike some very poor countries, Germany and the EU are a considerable source of income to Microsoft
Proprietary Means Not Secure: Proprietary software tends to rely on secrecy, not good design
Slop in 'AI' Clothing is a Passing Fad, We'll Get Past It (Like Blockchain Before That): Many people cheat in exams using slop and there are professionals that try using slop as a "shortcut"
GNOME Does Not Campaign Against Microsoft, KDE Does: It's good to see that KDE is still active in promotion of Free software - a term that it uses
Slopwatch: BetaNews, Linuxsecurity, and Other Prolific Slopfarms: name and shame the sites that establish such proliferation of slop
Gemini Links 18/06/2025: Birch Lake and Loon Pond: Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Tuesday, June 17, 2025: IRC logs for Tuesday, June 17, 2025
Links 17/06/2025: "The Grift Economy" and Kubernetes Does Proprietary: Links for the day
Microsoft's "FUD-as-a-Service" (Against Linux) Not Functioning Well: This is the kind of contribution companies like Microsoft and Google have to offer to society
Betanews Becoming a Slopfarm is "Betanews Growing Alongside You", According to Betanews: Their first 'article' in over two weeks is 52% "AI-generated" (slop), 33% mixed (edited slop), 18% human-written, says an advanced scanner.
Coffee Day and LLM Sloppers: The LLM slop "bros" are a lot like fake-money bros; they lie to people, they boast that they lie to people, and they're generally bad people, BS artists in colloquial terms
Double-Dipping the Docket for Microsoft Glory and Censorship of Microsoft Critics: same lawyer, same barrister, all US, all Microsoft
TheLayoff Censorship of IBM Threads Has Gone Truly Ludicrous: we do not argue that TheLayoff should not cull LLM slop
More Stallmanites Added to FSF Board and Summer Fundraiser Commences: There's some good news from the FSF
Gemini Links 17/06/2025: Consistency and Notes About NixOS: Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Monday, June 16, 2025: IRC logs for Monday, June 16, 2025

FBI, CIPAV, and the Windows Back Doors Revisited

Comments

Recent Techrights' Posts