Monthly Archives: July 2004

Virus Checkers and the FBI

In 2001 the FBI used keystroke logging technology to gather evidence, which was then used to send perpetrators of a crime to jail. The public admission of the use of this software by the FBI led to a number of people digging to find out how the FBI interacts with companies that develop Virus Scanners. The main question being whether Virus Scanners would detect keylogging software developed by the FBI.

It is an interesting idea, which comes to my attention due to current studies in Computer Forensics, and Cryptology. I have been doing a bit of thinking about how this might work out, and played with Google for a little bit to see just how unoriginal my ideas are. This blog is the collection of links I found while looking, as well as some various related thoughts. As most people reading this site will know, I am neither a great writer, or security expert, so please read the rest of this with those preconditions in mind.

Let me share my googling results….

Just after the details of the FBI keylogging came out in 2001 a number of different people talked about the issues and ways that this might have happened. A good summary of the details is available here and here. Declan McCullagh is one of the more well informed suspicious people.

There was a whole heap of interest in late 2001 and not a whole heap since (aside: Google is great — finding stuff that has changed recently isn’t its strong point, not necessarily Google’s fault I understand, some kind of semantic web is needed to make it possible to really know when things changed, and people will probably want to make things appear newer than they really are).
encryption I was thinking a little about how to allow such a hole in the virus software without letting more malicious code take advantage (or at least not letting code that is not sanctioned by the government). I think that this is a hard problem but not unsolvable. There are a couple of different interesting approaches which come to mind (this is my 20 minutes of thinking on this, so with the more time and money available to the FBI, I am sure they could do something better).

Lets start with a little discussion of two keyloggers 1 called FBIK and the other called MalK, both of which use the same approach in their keylogging, and have very very similar signatures.

In order to deliberately avoid detection of FBIK, but pick up MalK, a digital signature of could be used. ie VirusSoftware would only allow keyloggers that were digitally signed by the FBI. The problem with this is that if FBIK is well understood, it could be setup to be completely separate to the malicious software, with the malicious software intercepting the logs, and redirecting the information. It would take a bit of hacking, but is logically feasible. What would be needed is for the keystroke logger to encrypt the keystrokes as soon as recording them. This would of course make the data much less useful to anyone without the private key.

The fact that one of the biggest uses for this type of key logger is to get someone’s passphrase for encryption would make the requirements for having to include encryption software lower (not that the footprint is that big in the first place).

Then if that software was digitally signed, and the digitially signed software was allowed to be used by the Virus Scanner, you would end up with a safer system than if the virus scanner let that type of Key stroke logger be on a system.

The information about the key logger could even be made relatively public knowledge, the biggest reason not to share about it being the fear of big brother being too bad. Of course being a bit more open about things that people already assume is there wouldn’t be a bad thing.

The other option that is interesting to think about is for the FBI not not give any details of FBIK to the virus scanning companies, instead, doing something like this.

Keep a farm of machines that has up to date virus definitions, and a copy of FBIK running. Automate the machines and have them doing some activity that would cause the FBIK to actively do its stuff. Then if any virus scanner detects FBIK, the FBI will know that they need to remove it from active service, and release FBIK 2.0. The risk here is that the FBI might be left in a position where the FBIK is out in the wild and compromised, but they should be able to minimise this risk, and the expected usage patterns would also minimise this risk. If the FBI did have the farm of machines, they could even perhaps collude with the virus scanning companies (or telcos providing the backbone to the Virus Scanning companies) to ensure that they get updates slightly before others, allowing a window of opportunity to vet any virus definition updates that are risky for the FBI.

The thing about the latter option is that if the keylogging software is well written (remember people are getting paid real money to do it, and were probably in a position to devote a lot of time to writing it), is that it is likely that the virus protection software probably would never detect FBIK. Most Virus definition updates seem to be reactive rather than proactive, and so assuming that the FBI uses FBIK with some discretion, they will be safe from detection.

Some relatively interesting issues also float around this, and it makes good food for thought.

Garbage collection and hotmail

What algorithims do you use to clean up your web-based e-mail account when out of storage space?

Mine are first a size based pass, then going through the recent messages and deleting them.

My approach is that which is done in OO memory management systems…. My inbox has a spot for young, tenured, and permanent members. Young messages are often deleted quickly, but the tenured ones hang around longer, and permanent ones speak for themselves. When deleting messages I am often going for size, and my first sort is actually done by size, but my eye is looking for new messages to delete.

seems to me like there is a feature for someone to implement…. a link to e-mails that could be deleted, where the link points to a list of e-mails ordered by size and date. Smarter features would include suggesting e-mails to delete because similar ones had been deleted before without being read, and removing ones from the list that don’t get deleted while others do.

Moving on from Nerdvana

I have recently started looking for my next contract/perm place of work. After spending my last contract in a place that was really great, it is hard to see where I will move on to next.

I was working with some pretty cool people like Zohar, Ian, and other really great people.

My manager had a clue, and his boss was great as well. The project was using new technologies, and as a team there was an attitude of trying to improve our processes and ways of working to get things done better. Moving to XP was a great experience.

All round it was a great gig, and I am sorry they couldn’t all come to Australia and work from here :).

Waking up to a blue sky every morning for the past month has made up for missing the great place of work. Not having to be in the Tube, and not hearing about peoples commutes into work is also nice.

The hard part is sorting out what I will do next. It’s a bit of a mini career crisis…..

I think that as far as being a senior Developer I have pretty much had the peak experience in a internal project team. It doesn’t really get much better than the team I was just on (thanks guys).

I am looking at my options, thinking that I am not really keen to do the same old thing building data capture applications for people. As interesting as that can be, at the end of the day, it’s not rocket science, no matter what people might think. The idea of getting together with some really good people in new technology, something interesting is really pretty interesting. The other thought that has some appeal is the idea of doing further study, and picking up a PhD.

Happily I am in a position where money doesn’t have to be an immediate concern. I want to find some work that is challenging, and interesting. I have a mixture of idealism and pragmatism in my approach to life, and so would ideally like a job where I could make the world a better place, but release that at the end of the day, it is just software :).

The other constraint that limits me somewhat is that I think Brisbane is one of the best places in the world, and relocation isn’t an option at the moment. It is true that this limits my potental earnings, and the pool of available jobs is more limited than it would be elsewhere, but there is much more to life than just work. (although being happy at work does help make the rest of life better).

I think I am going to take it easy and see if some of the companies doing interesting stuff in Brisbane, or with other cool stuff end up hiring, or if the weightlifters end up looking. Either that or until someone wants to pay me enough money to contract, or do something interesting.

I have been around for long enough to have people wanting to get things going so if that happens before any of the others I will be able to jump in :).

It will be interesting to see what happens next, and if the good things from my past will work out again.