Utterly Outrageous

Now, this is whistleblowing:

Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network.

The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal “drive-by” hack attack, but nobody’s calling in the FBI this time. The FBI is the prime suspect.

“It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsyrklevich. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”

If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” or CIPAV, the law enforcement spyware first reported by WIRED in 2007.

Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gather information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predators, extortionists, and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.

The code has been used sparingly in the past, which kept it from leaking out and being analyzed or added to anti-virus databases.

If the FBI is actually sending us malware, then someone has some 'splainin' to do, to say the least. Congressional hearings are in order, and the hearings ought to be public.

In Praise of James Comey

Benjamin Wittes discusses the reasons why we should be glad that James Comey was nominated to be the next FBI director--reasons I am fully in agreement with:

Here’s the easy part: A qualified director of the FBI needs to have significant managerial experience in law enforcement. These days, you particularly want someone with a real intimacy with national security investigations and counterterrorism cases. You want someone who knows the bureau and can command the respect of its famously insular culture. You want someone with that ineffable quality of great leadership. And you want someone who somehow projects an anti-Hoover-like incorruptibility. Put this all together, and the easy part is not at all easy. There are very few people who truly have all of these qualities—and Comey is one of them.

But Comey also has an additional quality that makes him a unique candidate for the position—unique not just now but over a very long time. To be a successful FBI director, you have to be someone the public believes is truly independent, someone who will follow the facts wherever they go, who will investigate other members of the administration in which you (sort of) serve. The public should even believe that if it came to that, you would stare down the President himself over compliance with the law. It requires highly specialized circumstances to establish this particular quality beyond a shade of public doubt—and most people, fortunately for them and for the public—never have the opportunity to do so. But Comey 
did have this quality of his leadership tested—and in an episode initially secret, and now famous, he showed himself capable of looking a president of his own party in the eye and telling him that he would resign unless legal problems in a high-stakes classified program were fixed.  Nobody, including Barack Obama, can now doubt for a minute that he is capable of doing what needs to be done and telling the president the painful truths he may need to hear.

Wittes calls for Comey to be confirmed as soon as possible. I join that call, and congratulate President Obama on a very good selection.