title: Illuminating security holes


by: Scott Bradner


It would have been hard for the FBI to create a better example of the problems with Internet wiretapping systems than they did by creating Magic Lantern.  This is a case where the cure for a problem in one area creates a far greater problem in a number of other areas.


Law enforcement folk have been worried about the potential impact on the ability to gather evidence of criminals using encryption technologies to protect data files and Internet communications for quite a while.  In the past, as a result of this worry, there have been government proposals to require that copies of all encryption keys be escrowed in a place that the government could recover them without notifying the user of the key.  These key escrow proposals have failed in congress in years past and, even in the aftermath of September 11th, this year.  There are a number of major problems with the key escrow idea, not the least of which is the fact that very good encryption technologies are widely known, implemented and just about every potential bad guy already has it.


The FBI has been getting around the lack of an effective key escrow system by breaking into suspects homes and offices and putting "Key Logger" software on their computers.  This software captures all keystrokes on the computers and thus can capture the key sequence that is used to access the encryption keys.  But Key Logger has a minor operational problem, it requires that someone break in and get access to the computers.  This can be a bit hard in some cases and could easily reveal the fact that someone is being watched, just what the FBI does not want suspects to know.


Magic Lantern is a newly revealed FBI technique to use the same types of system vulnerabilities that hackers and virus writers have been using to infect target systems on the Internet.  The FBI good-guy-virus installs software that does the key logging without having to sneak in the window -- they break into Windows instead. By the way, this is just what some hacker viruses have been doing for a while.


A number of constitutional lawyers have issues with Magic Lantern but I'll leave those issues to them.  In my mind, there is an even bigger problem in that the FBI requires that the operating system have security vulnerabilities for Magic Lantern to work.  Normally security experts would like to see security holes filled as soon as someone finds them but in this case that would leave the FBI having to sneak in windows again.  Will it be against the law to fix bugs? 


But where is it written that only the FBI will know about a vulnerability? To enable the FBI, software vendors will have to enable Taliban hackers as well.  The FBI's equation seems to be to require that millions of systems be vulnerable in order to observe a few people.  Interesting math.


disclaimer:  In case the FBI is interested, Harvard does have a math department -- but I did not ask them about this equation.