Dept. of mildly disturbing developments

There’s a small story on the net this week about the FBI cracking a bomb-threat hoaxer over the Internet. The kid made false threats about bombs in his high school and got caught, and is now serving 90 days in juvie.

None of that is disturbing. Stupid kid, stupid idea, but mild sentence because, well, he’s a kid. In this climate, he’s lucky he didn’t get sent to Gitmo, given that the Executive has made clear it believes it can do anything it wants to anybody it wants, but that’s not what this post was about.

The kid was taken up in what’s been called the Greater Internet Fuckwad Theory, which basically means online anonymity makes people act like assholes sometimes. He’d managed to get access to a compromised computer in Italy, which is where he was sending his threat mails from. This implies he was using a botnet, or at least had access to one. Again, not surprising. However, here’s where the story gets weird, and raises some legitimate questions.

The FBI sought and got permission to install, via messaging, a virus on the kid’s computer to aid their sleuthing. It was this virus that allowed them to find the kid. The questions this raises are interesting:

  • How’d they get their virus on his computer?
  • Why didn’t the kid’s anti-virus/anti-spyware tools catch the Feds’ virus?

The first answer is more or less apparent in the article; it got there via some messaging protocol, probably email. Everybody knows Windows is a joke security-wise, but most folks — even kids — have the message at this point that clicking weird shit you get in email is a bad idea. So there’s still some mystery here. Perhaps the Feds did just assume he’d be running IE and Outlook; it’s not out of the question.

The second answer is scarier. We can assume the kid had at least some technical knowledge, since he was using a botnet, so why didn’t his AV software catch the Feds? The possibilities are that either the Feds know about a Windows exploit nobody else knows about (either because they found it and are mum, or because someone built them a back door), or they’ve strong-armed AV makers into whitelisting their pet virus.

In the first case, they’re compromising everyone’s security by sitting on an exploit they think is theirs alone. It’s the responsibility of everyone in computing to alert software makers when flaws are found; the stakes on nefarious intrusion get higher every day, and the notion that this exploit will remain the exclusive province of law enforcement is simply laughable.

In the second case, it’s much creepier. If we paid Norton for a package to protect our machine from malware, we don’t want them to be in the business of whitelisting spybots just because the government says they’re ok. Either detect everything we might not want on the PC, or don’t represent yourself as protection. “Trust the government not to misbehave” is a nonstarter, as is the old “nothing to hide” argument.

Anyway, News.com surveyed several AV makers this week, and all said it was their “general policy to detect police spyware. Some, however, indicated they would obey a court order to ignore policeware, and neither McAfee nor Microsoft would say whether they’d received such a court order.”

The implications are clear: You cannot trust commercial malware-detection vendors. We know trusting governments is a bad idea. The only real option is to use a real secure OS — something Unix-based — and seek open-source solutions to security problems. We doubt the Open Source community will be particularly compliant when the cops come calling for backdoors or whitelists.

Comments are closed.