[ISN] Magic Lantern reality check

From: InfoSec News (isnat_private)
Date: Tue Dec 04 2001 - 00:30:54 PST

  • Next message: InfoSec News: "Adding perspectives Re: [ISN] Cyber terrorism is 'fantasy'"

    FBI 'Magic Lantern' reality check
    By Thomas C Greene in Washington
    Posted: 03/12/2001 at 12:41 GMT
    There's been a lot of noise since MSNBC's Bob Sullivan broke the story
    of a new viral snoop tool called 'Magic Lantern' which the FBI is
    purportedly developing to capture crypto passphrases so they can
    decrypt files on suspects' computers
    Of course this all comes from an anonymous source whose level of
    access isn't even hinted at, so we remain unconvinced. The tool is
    described, Sullivan implies, in the blacked-out sections of a series
    of documents obtained by the Electronic Privacy Information Center
    under an FIOA request
    http://www.epic.org/privacy/carnivore/foia_documents.html. Right.
    Next, ZD-Net's Robert Lemos grabbed it and affected to be skeptical,
    calling it a Trojan. He said it was nothing new, but he didn't seem to
    doubt it exists
    Then the Associated Press' Ted Bridis grabbed it and added another
    unsubstantiated embellishment, claiming that anti-virus outfit McAfee
    had contacted the FBI offering to engineer its products to fail to
    alert users when Magic Lantern heads their way
    McAfee has flatly denied Bridis' claim. In reply, Bridis, like
    Sullivan, appealed to an anonymous source.
    So what we have here are three stories, none of which contains a
    single verifiable fact substantiating the existence of an FBI 'virus'
    or 'Trojan' or any conspiracy between the Feds and the AV industry to
    ensure that it remains undetected.
    Some truth 
    Assuming Magic Lantern exists, we can be sure that it's not a virus
    and that it's not Trojan according to Lemos' examples of BO2K and
    SubSeven. The FBI simply is not going to root someone's box. That
    would give them remote access, which means they would blow the bust
    because they'd be open to reasonable doubt that they planted evidence.
    The only thing it could reasonably be is a simple self-extracting
    keylogger concealed as a friendly progie or upgrade, which is far from
    ground-breaking news. Software keyloggers like Ghost have been
    available for ages, and it's hardly surprising that the FBI might be
    interested in them http://www.keylogger.net.
    Technical challenges
    Getting the malware to the right person's machine will be a bit of a
    trial. For this, perhaps the FBI can leverage the malware propagation
    features cleverly coded into Microsoft Outlook and Outlook Express,
    and e-mail malicious porn files and whack-a-mole games to drug lords
    and international terrorists.
    Once a victim is infected, there are quite a few countermeasures he
    can employ. A proper firewall properly set up should inform a watchful
    user of any attempts by malware to phone home. Preventing e-mail from
    going out in secret is a bit more of a problem, but setting up a bogus
    default account might give one an edge.
    Now, Windows has a handy 'system restore' feature which works wonders.
    Simply clean install the OS, load all your apps and progies and
    drivers, and back up your system before you do anything else. Once the
    backup is done, you can revert to the clean version periodically.
    In Win 9x, go to C:\Windows\System\Msconfig.exe and start the program.
    You'll find a button that says 'Create Backup'. That's how you take a
    'snapshot' of your system. Whenever you get the urge, just bring up
    the utility and hit the other button which says 'Restore Backup'.
    Goodbye Magic Lantern (probably).
    In Windows Me, 2K, XP, go to the Start menu, Programs, Accessories,
    System Tools, System Restore.
    You can also do this the hard way by following the twin-HDD routine
    elaborated in this article. This method is more troublesome, but more
    thorough if you prefer not to leave anything to chance
    Search or wiretap? 
    Of course, even a simple keylogger is ripe for official abuse; and
    ever since the September 11 disaster Mueller's FBI and Ashcroft's DoJ
    have exhibited a most neurotic, Stasi-like compulsion to trample the
    Bill of Rights for the public good. The technology itself may be
    enormously duller than the press has been hoping, but it's perfectly
    suited to dirty deeds.
    The chief question is whether the Feds should be required to get a
    wiretap warrant which demands a higher level of evidence rather than a
    simple search warrant before they can use a keylogger.
    To my mind, logging someone's keystrokes is a lot more like a wiretap
    than it is like a search, and I personally believe that the conditions
    for a wiretap warrant should have to be satisfied before it can be
    The FBI will of course argue that if they have a search warrant to
    examine the files on someone's computer, and logging keystrokes to
    capture crypto passphrases is necessary for them to execute the search
    fully, then the right to do so is implied in the warrant.
    Another abuse that comes to mind is using any sort of data, including
    key logs, which has been gathered improperly to extract a confession
    during interrogations. If a suspect doesn't realize that the evidence
    against him is useless in court, he may be frightened into accepting a
    plea arrangement straight away.
    But this is not a problem specific to Magic Lantern; it's a problem
    specific to a frightened Bush Administration which has elected to take
    as many pages as it can from the Stalinist playbook to keep us safe
    from bad men who sneak about in the shadows and use violence,
    deception and coercion against us.
    I wouldn't worry too much about keyloggers. I'd worry a good deal more
    about the sudden, dramatic erosion of laws protecting us from their
    misuse by zealous, terrified Feds.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 02:06:08 PST