Antivirus software will ignore FBI spyware: solutions

Sunder sunder at sunder.net
Mon Nov 26 11:49:30 PST 2001 

Great and wonderful except:

1. If such spyware has already been installed on your system you can't
trust your os therefore:

	a. It may use your OS to hide the key capture log, so you
	   won't be able to just watch files.  Think of a kernel patch
	   that removes all references to a specific file, not just
	   sets it to be hidden.

	b. It may use your OS to hide that the OS was altered if you
	   decide to use a debugger by patching the debugger also, and
	   when say "Finder" looks at the System file, it's really
	   looking at the inactive original one, rather than the one
	   that was patched. (or it could be an extension that hides
	   itself and the capture file from the OS, etc.)

2. Any hard drive you can access so can they.  "They" can patch your
disk:

	a. I'm not sure about newer MacOS's, but I remember that older
	   MacOS's, those on 68k boxes stored driver code for the disk
	   on one of the blocks on the drive, so even if your OS wasn't
	   booted with the spyware, simply mounting that drive would
	   load the driver, and anything that goes with it. 

	   I had the experience of having such a driver getting corrupted
 	   back when I used a Mac. I recall I had to use special software
	   to mount the disk without the old driver - actualy to just zap
	   the old driver off the disk and replace it.

	b. If the malware is on your hard drive, it can propagate like
	   a virus to your iPod.  Sanitize your OS, only to have it
	   come back when you hook up said iPod.

3. Newer G3+ Mac's use open boot prom or some such which lives in
eeprom.  Such things can be patched at that layer and can propagate on
bootup.  Booting off a read only disk (CDROM, etc) wouldn't help in this
case.

4. If you live in a crowded area, your iPod can be lifted off you
in a false mugging, or break in, pick pocketting while you're at a
restaurant, movie, etc.

5. Watching for files that change daily is a fool's task for the reasons
mentioned above, and the Sysiphean task it presents.  Better get the
equivalent of Cops or Tripwire to do the work for you, but they too can be
tampered with.  

6. If McAffee bent over to the Feds, you can be sure that so will the
makers of Zone Alarm and other firewalls.

7. Remember, they don't need to capture all your keystrokes.  Just the
ones you use as passphrases.  And they don't need to copy your whole hard
drive, though they easily could when you're out of the house.  Just your
secret key file and your passphrase.

8. If you shut off your computer when you leave your house, it makes their
job that much easier.  If you leave it on, they could note what's open and
put it back to the same spot.

9. If you use a login screen, etc, Or they could simply run something that
would take a snapshot of your desktop, shutdown your Mac, install the
malware/copy your files, then and boot off of a floppy that displays the
screen you left up, plus a Type 1 Bomb (MacOS equivalent of blue screen of
death), and eject the floppy thus - making it look like your Mac crashed,
or, simply go down to the basement and trip your circuit breakers making
it look like you've had a power failure (even UPS's run out at some
point.)

10. Ordered any new copies of a bit of software?  Maybe they have a deal
with FedEx, UPS, the Mailman.  Maybe what you're getting is the upgrade
and then some.  How can you tell that copy of SmallTalk doesn't carry an
extra bit of code just for you?  How can you tell that the latest patch to
MacOS you've just downloaded really came from Apple?  Sure DNS said it was
from ftp.apple.com but how do you know that the router upstream from your
internet provider didn't route your packets via ftp.fbi.gov?

Once they have physical access, you're fucked.  Remote access is almost as
dangerous as them having physical access, however it can work in your
favor as they won't be as familiar with your environment, and thus are far
more likely to expose the malware to you.

Sure, all of these things are more or less preventable, except for
physical access, and a lot of these come down to trust and reputation.  
But reputation and trust are also rubber hose-able (if there is such a
word.)  :)

You can trust your best friend until you find out otherwise.  You can
trust your bank until you find out otherwise.  You can trust your software
provider until you find out otherwise.  But by the time you've found out,
if you've found out at all, you've already been fucked.




----------------------Kaos-Keraunos-Kybernetos---------------------------
 + ^ + :Surveillance cameras|Passwords are like underwear. You don't /|\
  \|/  :aren't security.  A |share them, you don't hang them on your/\|/\
<--*-->:camera won't stop a |monitor, or under your keyboard, you   \/|\/
  /|\  :masked killer, but  |don't email them, or put them on a web  \|/
 + v + :will violate privacy|site, and you must change them very often.
--------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------

On Mon, 26 Nov 2001, Tim May wrote:

> Some interesting tips (bottome of this message) for detecting FBI/SS
> snoopware that NAI/McAfee is now assisting the FBI in installing. 
> 
> I especially like the idea of "type hundreds of random key strokes and
> see which files increase in size." (Or just look for any file size
> changes, as most of us type tens of thousands of keystrokes per day.)
> 
> The mathematical side of most encryption is vastly stronger than the
> "crypto hygiene" side. There's a reason "code rooms" and "crypto
> shacks" on military ships and bases have lots of hoops to jump through,
> with locked boxes, double-keyed switches, controlled access, etc.  
> 
> Most users of PGP take no steps to secure key materials. (I plead
> guilty, too.) Most of us are used to immediate access, and we want
> crypto integrated with our mail. The notion of going to a locked safe,
> taking out the laptop or removable hard drive, ensuring an "air gap"
> between the decoding system and the Net, and checking for keyloggers
> and hostile code, and so on, is foreign to most of us. 
> 
> The "dongle" idea (e.g., Dallas Semiconductor buttons, etc.) has been
> around for a long time. Here's a new twist: the Apple iPod music
> player. I just got one. A 4.6 GB hard disk (Toshiba 1.8"). Hooks up via
> Firewire/IEEE 1394, with the link recharging the battery and
> auto-linking. The disk can also be mounted as a standard Firewire disk.
> Meaning, it could be used to store key material and even be used for
> PGP scratch operations. The increased security comes from its small
> size (easy to lock up) and because I usually have it with me when I am
> away from home. This makes "sneak and peek" searches and plants of
> malicious code less useful. Not a complete solution. Crypto hygiene and
> all.
> 
> Here's the article:
> 
> > Path: sjcpnn01.usenetserver.com!e420r-sjo4.usenetserver.com!sjcppf01!usenetserver.com!hub1.nntpserver.com!headwall.stanford.edu!newsfeed.stanford.edu!sn-xit-01!sn-post-01!supernews.com!news.supernews.com!not-for-mail
> > From: Rastus P. Riley <an11211 at hushmaildot.com>
> > Newsgroups: misc.survivalism
> > Subject: Re: Antivirus software will ignore FBI spyware: solutions
> > Date: Mon, 26 Nov 2001 12:37:27 -0800
> > Organization: Posted via Supernews, http://www.supernews.com
> > Message-ID: <1m950usq1saskrs1g0ajmdi5h3e49fcd8b at 4ax.com>
> 
> > 
> > On 25 Nov 2001 21:48:28 GMT, phatmike at isomorphic.net (phatmike) wrote:
> > 
> > >> According to the Washington Post, "At least one antivirus software company,
> > >> McAfee Corp., contacted the FBI on Wednesday to ensure its software wouldn't
> > >> inadvertently detect the bureau's snooping software and alert a criminal
> > >> suspect."
> > >> 
> > >> http://www.washingtonpost.com/wp-dyn/articles/A1436-2001Nov22.html
> > 
> > 1.  Use a secure type of OS with login screen for every session
> >          a.  Log out after every use
> >          b.  If house invaded, Feds need to have initial login
> >               password to insert trojan.
> > 
> > 2.  Use In/Out firewall
> >          a.  Zone Alarm Pro
> >          b.  Monitors in/out traffic
> >                   1.  If trojan tries to send data, then firewall will
> >                        highlight it.
> > 
> > 3.  Always check for small programs by last accessed date.
> >           a.  Uncheck hidden files
> >           b.  Look for files that increase in size by testing with 300
> >                random keystrokes.
> > 
> > 4.  Use Proxies, don't run attatchments, don't use
> >      Outbreak Express.
> > 
> > Hope this helps,
> > 
> > -Rastus
> 
>

More information about the Testlist mailing list