This story appeared on Network World Fusion at

'Net Insider:

Illuminating security holes

By Scott Bradner
Network World, 12/03/01            

The FBI would have been hard-pressed to create a better example of the problems with Internet wiretapping systems than it did by creating Magic Lantern. This is a case where the cure for a problem in one area causes a far greater problem in a number of others.

Law enforcement officials have been worried for quite a while about the potential impact on their ability to gather evidence of criminals using encryption technologies to protect data files and Internet communications. In the past, as a result of this worry, there have been government proposals to require that copies of all encryption keys be kept in a place that the government could recover them without notifying the user of the key. These proposals have failed in Congress in years past and in the aftermath of Sept. 11. The key escrow idea has a number of major problems, not the least of which is the fact that very good encryption technologies are widely known and implemented, and just about every potential bad guy already has them.

The FBI has been getting around the lack of an effective key escrow system by breaking into suspects' homes and offices and putting "Key Logger" software on their computers. This software captures all keystrokes on the computers and thus can capture the key sequence used to access the encryption keys. But Key Logger has a minor operational problem: It requires that someone break in and get access to the computers. This can be a bit hard in some cases and could easily reveal the fact that someone is being watched, just what the FBI does not want suspects to know.

Magic Lantern is a newly revealed FBI technique to use the same types of system vulnerabilities that hackers and virus writers have used to infect target systems on the Internet. The FBI good-guy-virus installs software that does the key logging without requiring anyone to sneak in the window - law enforcement breaks into Windows instead. This is just what some hacker viruses have done for a while.

A number of constitutional lawyers have issues with Magic Lantern, but I'll leave those issues to them. In my mind, there is an even bigger problem in that the FBI requires that the operating system have security vulnerabilities for Magic Lantern to work. Normally, security experts would like to see security holes filled as soon as someone finds them, but in this case, that would leave the FBI having to sneak in windows again. Will it be against the law to fix bugs?

But where is it written that only the FBI will know about a vulnerability? To enable the FBI, software vendors will have to enable Taliban hackers as well. The FBI's equation seems to be to require that millions of systems be vulnerable in order to observe a few people. Interesting math.

Disclaimer: In case the FBI is interested, Harvard does have a math department - but I did not ask members about this equation.

All contents copyright 1995-2002 Network World, Inc.