There are plenty of unanswered questions about the FBI spyware that, as we reported earlier this week, can be delivered over the Internet and implanted in a suspect's computer remotely.
Many of the questions hearken back to the old debate over the FBI's Carnivore wiretapping system, which technical luminaries Steve Bellovin, Matt Blaze, David Farber, Peter Neumann, and Eugene Spafford raised in a December 2000 paper.
Some of the perfectly reasonable points they made: What about security flaws? Is there evidence of a "systematic search for bugs?" How about audit and logging? Why not publish the source code for public review?
And of course there are issues more specific to the FBI's use of the Computer and Internet Protocol Address Verifier, or CIPAV, including whether the bureau believes it can install it on Americans' computers willy-nilly in the wake of a wacky 9th U.S. Circuit Court decision this month.
We were planning to list them for your delectation, only to find that Kevin Poulsen at Wired had already done an excellent job of it. (We should note that, although we were of the CIPAV story this week, Wired was first to publish it.)
Some of the questions Kevin posed to the FBI, with no answers as of Thursday:
What kind of investigations has the CIPAV assisted in?
Does the CIPAV have the capability, if so configured, to record keystrokes? Generally, does the FBI have the ability to electronically and surreptitiously deliver monitoring software to a target's PC that records keystrokes?
Do other law enforcement agencies have access to the CIPAV technology?
We also contacted the FBI with our own questions--with no better luck in terms of actually getting a response from the bureau, which must be busy defending our nation from serious threats or something.