Documents Show FBI Impersonated Newspaper's Website To Deliver Spyware To Suspect's Computer
from the a-free-(and-exploitable)-press dept
Spend enough time staring at redacted documents liberated from secretive government agencies and you're bound to miss a thing or two on the first pass. Chris Soghoian, technologist for the ACLU was browsing through some FBI documents [pdf link] obtained by the EFF and came across this:
In 2007, FBI sent malware via a link intended to look like a Seattle Times/AP story. https://t.co/Se9f0NXGd1 at pages 61-62.
— Christopher Soghoian (@csoghoian) October 27, 2014
In 2007, FBI sent malware via a link intended to look like a Seattle Times/AP story. https://www.eff.org/document/fbicipav-08pdf … at pages 61-62.The documents date back to 2008 and were obtained by the EFF in 2011. What Soghoian caught fills in the blanks in this story from 2007.
FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News...The court documents didn't detail how the FBI managed to install the weaponized payload on Glazebook's computer. The emails obtained by the EFF, however, expose the electronic paper trail.
The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment.
The CIPAV (Computer and Internet Protocol Address Verifier) made its way to Glazebrook's system via a Myspace message sent by the FBI… which was impersonating the Seattle Times.
Is this really what we want our investigative agencies to be doing in the name of public safety? Soghoian says no.
"The ends don't justify the means. I'm not saying that the FBI shouldn't be investigating people who threaten to bomb schools. But impersonating the media is a really dangerous line to cross."The Seattle Times isn't too happy, either. Editor Kathy Best says the paper is now "seeking answers" from the FBI. Best's full statement on behalf of the Times is short, but deeply critical of the agency's actions.
We, like you, just learned of this and are seeking answers ourselves from the FBI and the U.S. Attorney’s office.The FBI has already responded (somewhat) to Best's statement, deploying the usual deferrals to public safety and agency investigatory procedures.
But we are outraged that the FBI misappropriated the name of The Seattle Times to secretly install spyware on the computer of a crime suspect. Not only does that cross the line, it erases it.
Our reputation—and our ability to do our job as a government watchdog—is based on trust. And nothing is more fundamental to that trust than our independence from law enforcement, from government, from corporations and from all other special interests. The FBI’s actions, taken without our knowledge, traded on our reputation and put it at peril.
“Every effort we made in this investigation had the goal of preventing a tragic event like what happened at Marysville and Seattle Pacific University. We identified a specific subject of an investigation and used a technique that we deemed would be effective in preventing a possible act of violence in a school setting. Use of that type of technique happens in very rare circumstances and only when there is sufficient reason to believe it could be successful in resolving a threat. We were fortunate that information provided by the public gave us the opportunity to step in to a potentially dangerous situation before it was too late.”TL; DR: The public should be counting its blessings rather than examining our questionable methods.
Taken at face value, Special Agent Frank Montoya Jr. is basically saying that the FBI will abuse its power (and the reputations of others) whenever it determines such methods to be necessary to achieve its goals. Not really a comforting idea at all, and one that basically confirms Soghoian's suspicions: the ends will be used to justify the means, no matter how potentially damaging the means are.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bomb threat, fbi, impersonation, investigations, journmalism, malware
Reader Comments
Subscribe: RSS
View by: Time | Thread
Hookay
If they were agents of a foreign power they couldn't do a better job.
[ link to this | view in chronology ]
I really don't see what Kathy Best is complaining about, to be honest.
How so? If someone did something bad while impersonating me, and no one knew about it, it has not harmed my reputation in any way.
If someone did something bad while impersonating me, and no one knew about it, and the first that anyone found out about it (including me!) was when it came out that I had been impersonated... this still has not harmed my reputation in any way, because everyone knows that it wasn't really me who did it.
Seems to me the only possible way that such a scenario could harm my reputation is if it came out that I wasn't being impersonated afterall, but that I had been complicit in doing the bad thing in question. But no one is even suggesting that that is the case, so I really don't see Ms. Best's point.
Congratulations and bravo to the FBI. Finally a bit of good news, after all the stupid crap they've been caught at lately!
[ link to this | view in chronology ]
Re:
Because now everytime someone visits a page saying it's from the Seattle Times site, they'll wonder if they're looking at a legitimate page, or some government plant. Should the government really get into the business of what is essentially phishing?
A government entity co-opting the identity of the press compromises the freedom of the press, regardless of reputation or outcome.
I think that should be seen as an unconstitutional act.
[ link to this | view in chronology ]
Re:
I think the real issue, though, is a bit larger. It used to be that people would feel the need to be cautious just when following links to "sketchy" or non-mainstream websites. This incident alerts people that they need to be cautious about links to any website at all.
From my security point of view, this isn't a bad thing because people should be cautious about it in general (mainstream websites are occasionally a source of malware too, after all). But I understand why people running those websites would prefer their readers to not feel nervous about going to their site.
[ link to this | view in chronology ]
Re: Re:
That's the problem, it now calls into question every site you visit...ever, even the ones you *know* are trustworthy.
[ link to this | view in chronology ]
Re: Re: Re:
And with sites they know. Sites (especially sites that carry ad-network ads) do get hacked to deliver malware. A legitimate site that is perfectly fine one day many not be the next, and the site's operators may not even be aware of it.
[ link to this | view in chronology ]
Re: Re:
And anyone who thinks that is an idiot. Do they really believe that the FBI would try the exact same thing again, now that everyone's watching for it? The Seattle Times is probably one of the safest sits to visit right now, because that same trick can't be used again.
Besides, have a close look at the document. The kid fell for one of the oldest phishing tricks in the book: he didn't check the URL carefully. The site he got pointed to was not seattletimes.com, but nwsource.com, essentially a smaller, more local version of Craigslist. Someone at the FBI set up a page on there that would look like a newspaper site, but this does (or should do) nothing to make anyone leery of going to the Seattle Times site. From all appearances, at no time was seattletimes.com or the organization The Seattle Times hacked or compromised in any way.
Exactly. I first saw this about 10 years ago (don't remember if it was 2003 or 2004) when my virus scanner's web security started alerting me to malware on a fairly large, very legitimate site. A bit of research on my part showed it was coming in through banner ads. I alerted them to the problem, and at first they angrily denied serving malware. I responded, reiterating that this didn't appear to be their fault at all, but the fault of their banner ad provider, and they actually looked into it and switched ad networks very quickly.
Again, no one has any reason to feel nervous going to their site. The whole point her is that this guy didn't go to the Seattle Times site; he got phished into going to a site that was set up to look like it, but was hosted on a different server and under the control of the FBI.
[ link to this | view in chronology ]
Re: Re: Re:
Oh, I agree. I'm not saying that the ST's characterization is correct, only that I understand why they feel that way.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
However, impersonating the Seattle Times is cheap, sleazy, lazy, unethical, and stupid. If that's the best that the FBI, allegedly the nation's top law enforcement agency, can come up with, then a whole bunch of people should be fired and blacklisted from police work for life.
Police work is hard because it's supposed to be hard. We could make it easy for them by giving them unlimited power (something they keep grabbing for anyway) but we don't, because we recognize that while it might result in temporary safety, the long-term result is disastrous for society. So we make it hard on purpose by imposing numerous restraints (e.g. "get a warrant") and we accept that once in a while, one of those restraints will get in the way. So be it.
The people who choose to work in law enforcement should be keenly aware of that, and accept it. They should be doing police work -- grinding, boring, relentlessly detail-oriented, careful, exacting police work -- because that's what they signed up for. Doing an end-around because it's expedient is not only completely unprofessional, it endangers civil society far more than even the most deranged school shooter.
[ link to this | view in chronology ]
Re:
Except that now they know that things 'from' you could also be 'from' the FBI trying to trap them. They now trust communications 'from' you less. If you're entire business is based on people trusting you via your website, yes you've been harmed. They aren't going to visit your website because they know that links to your website could also be an FBI sting operation.
[ link to this | view in chronology ]
Re: Re:
If anything, the Seattle Times should seize on this and turn it into an opportunity to teach people how to recognize and avoid phishing attempts.
[ link to this | view in chronology ]
Re:
This story reads like the investigators got to the first hurdle then said "the hell with it" and took an illegal and unnecessary shortcut. It's only a short step from that to outright, if small, illegal behavior motivated purely by the investigators' self interest and the fear is always there that this will simply get worse without any real check.
[ link to this | view in chronology ]
Re:
BUUUUT the problem is that if nobody says anything, than it sets a precedent and basically lets the feds think they can do more shady shit in the name of terrorism and no one will have a problem with it.
The DEA was recently just caught using past defendants identities to make fake Facebook profiles so they could chat up their drug dealers in order to get them to incriminate themselves.
Where is the line?!
[ link to this | view in chronology ]
Re: Re:
What the FBI did does not involve taking over or compromising any resources owned by any third party. The Seattle Times was not harmed in any way. It was a straight-up, plain-vanilla phishing attempt like the ones you probably get a dozen of every day in your spam folder, and the kid fell for it.
[ link to this | view in chronology ]
Re:
He said "put it at peril", not "damaged it".
This time, everything went extremely well and only the intended target was affected. That doesn't happen every time as we well know. This was as targeted as it could have been, but the paper would have been left with the fallout if anything had gone awry. That's what he's talking about.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
One word I haven't seen yet.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
...Oh, wait...
[ link to this | view in chronology ]
What's that link again?
Why does the link include "webteensex"?
[ link to this | view in chronology ]
Re: What's that link again?
[ link to this | view in chronology ]
who?
drug dealers
drug buyers
doctors
lawyers
terrorists
politicians
who doesn't law enforcement impersonate?
The trick is to get them to START impersonating peace officers.
[ link to this | view in chronology ]
Re: who?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
CIPAV
[ link to this | view in chronology ]
Re-read the FBI's justification:
That's not specific to phishing or malware; it's not specific to anything. It's not limited by circumstances or employed with regard to constitutional or statutory guidelines. All it says is techniques will be used when the the FBI thinks there is sufficient reason to believe the techniques could be successful.
Feel free to fill in any "techniques" you want in that paragraph. I'm not always worried about slippery slopes, but I am when the FBI's response to a legitimate concern is "we will position ourselves wherever we choose on the slope."
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
That is, "a hunch we might pull it off."
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Missing the point
[ link to this | view in chronology ]
Re: Re: Missing the point
[ link to this | view in chronology ]
Last I checked "suspect" means a POTENTIAL criminal.
They're attacking the computer systems not of someone who committed a crime, but someone the FBI thinks might have committed a crime. They don't know.
And suspicion is cheap these days.
[ link to this | view in chronology ]
Re: Last I checked "suspect" means a POTENTIAL criminal.
[ link to this | view in chronology ]
Re: Re: Last I checked "suspect" means a POTENTIAL criminal.
"Sure, even you or I could technically be a potential suspect but with zero evidence it is extremely unlikely we would be investigated."
...unless we've said or done something that has made someone with power angry, or are a member of a socioeconomic class, nationality, race, creed, etc., that they don't like.
[ link to this | view in chronology ]
We don't have degrees of suspicion.
Sure, we could have more killing rampages, or those that have occurred could have been worse but even if the incident statistics of these increased, they are, by magnitudes, far removed from greatest dangers to human health and welfare, and we put much less recourse into fixing those problems that are (such as reforming health care, eliminating poverty and hunger, etc.) so arguing that letting Law Enforcement destroy our lives, property and trust for our own good is intellectually dishonest.
Yes, police are allowed to use deception to identify or incriminate a suspect, to the point that we get far more false positives than true ones. When we falsely incriminate (which our DoJ is ravenous to do in today's political clime), everyone in prison becomes a political prisoner, even those we know who committed political crimes. The only fair grounds by which a justice system can legitimately mete out rulings and penalty in violation of human rights is due to its thoroughness in determining the truth.
And they don't. Repeatedly.
In the 70s the US averaged about 500 SWAT raids a year for hostage-barricade situations. In 2013 we had about 50,000, most on houses innocent of any crime that might warrant a SWAT raid. In those, many people, including children are getting murdered by the police. We have evidence that the police cannot be trusted with powers they have, and that they have no regard whatsoever for the innocent civilians whose lives they affect.
[ link to this | view in chronology ]
This is what I get for posting before coffee...
On Bastille day, the pot smokers, rapists, serial murderers and hactivists all walk, alike. If half of them are innocent, the problem with a corrupt justice system is we don't know which half.
[ link to this | view in chronology ]
Re: We don't have degrees of suspicion.
That is, pretty much, a working definition of a Police State.
Under such circumstances, regardless of the nation in which it occurs, the public is the enemy and the Police are the Soldiers, so in truth, no quarter and no mercy being shown to the enemy by such soldiers in such an undeclared war, is to be expected.
In other words, under the current Regime, the American Police Forces are doing an exemplary job.
[ link to this | view in chronology ]
When is a URL a Trademark?
[ link to this | view in chronology ]
Parallel construction?
First, the user has to click on a link or do something stupid like visiting a website with Javascript or Flash enabled.
If the user runs Linux and his browser inside a hardened vm, I can't see how the FBI has gotten software on his computer.
Did the user run Linux or did he do something stupid?
if not, maybe parallel construction is a possibility.
[ link to this | view in chronology ]
Endangerment
Huh, so if the CIA begins to use your name, picture and likeness or that of your children to issue false passports, you wouldn't think it would be harmful?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Here's the gist:
So the argument is not "this was legal" or "we bothered getting a warrant" or "there was any attempt of judicial oversight or heeding the law" but rather "well, it worked".
The problem with that is the only reason we got to hear of it is because it worked. Since the FBI doesn't bother following the warrant requirements, this could be a lucky shot among millions that did not work. Maybe they are shooting everybody preemptively anyway and dig out the dirt whenever they need it.
That would explain why they would not bother getting a warrant even in such cases. Would be after the fact anyway.
Actually, there is precious little information about who else got bugged in the process of this investigation alone. Perhaps the number of compromised computers is such that no judge would have signed off on a warrant anyway.
[ link to this | view in chronology ]