Latest FBI Terrorist Bust Shows A Future So 'Dark' Some Eye Protection Might Be Warranted

from the I-study-bitcoin-and-violence,-I-love-my-hashes... dept

So much for "going dark." The FBI's narrative of a terrorist-filled world enshrouded in encryption continues to be disproven. For one, it appears the NSA has made tremendous strides towards cracking commonly-used encryption, thanks to its computing power and a multitude of shared Diffie-Hellman primes. For another, the super secret world of terrorism doesn't seem to be all that secret. FBI director James Comey has repeatedly pointed out that terrorism suspects are vanishing behind encrypted communication platforms, but when pointedly asked about how often this is actually happening, he could only claim "dozens of times."

Operational security may be improving over time, but as of this point, suspected terrorists are still leaving themselves exposed through easily-accessed channels. Marcy Wheeler of emptywheel took a look at the latest terrorism suspect busted by the FBI and sees nothing in the criminal complaint that suggests the agency had much trouble hunting him down.

Given Jim Comey’s repeated warnings of how the FBI is going dark on ISIS organizing, I thought I’d look at how FBI found this guy.

Ardit Ferizi, the suspect’s real name, was connected to the @Th3Dir3ctorY account on Twitter. On that account Ferizi linked to an article about the Kosova Hacker’s Security group (KHS) for which he had been interviewed. He also identified himself as the owner of KHS.

Ferizi registered the Twitter identity to a hotmail account tied to an IP address in Kosovo.

@Th3Dir3ctorY subsequently logged into Twitter from various ISPs in Malaysia, including 210.186.111.14.

The hacker who first broke into “Victim Company” on June 13, 2015 and ultimately stole the data of 100,000 people created an account with the identity KHS. On August 19, 2015 — after the company had removed the malware used to exfiltrate the data — someone identifying himself as “Albanian Hacker” and using the email “khs-crew@live.com” contacted the company and asked them to stop taking down their files (which the FBI interpreted to mean the malware left on the server). The IP address tied to the SQL injection used by the hacker was 210.186.111.14.

A Facebook account tied to the name “ardit.ferizi01” also used that IP address. Ferizi sent himself a spreadsheet via that facebook account with the stolen PII.
Facebook, Hotmail, Twitter… these aren't exactly the tools of the "going dark" trade. It could be that Ferizi is an anomaly -- a terrorist who thinks OPSEC is for losers who want to stay out of prison. But it also suggests commonly-used communications continue to be commonly used, even by people performing unlawful actions.

As Wheeler points out, the FBI calls Ferizi a hacker… and yet, for all of his alleged skills, he deployed less secretive measures than many people who have no connection to illicit deeds or today's Public Enemy No. 1: ISIS/ISIL.

Even if Ferizi had been more careful, it's likely the FBI would not have run into an encrypted dead end. While apps like WhatsApp may offer encrypted communications, their creators are often willing to hand over whatever identifying information they do have on suspected criminals. This can then be tied to more open communications platforms. It's highly unlikely that every single bit of communication between terrorism suspects happens on secured channels. And once a suspect is in custody, work can begin on forcing the person to cough up login info.

Nothing about this suggests backdoored encryption is the only way to successfully fight terrorism (and the drug war, etc.). What Comey's complaints suggest is that the FBI would definitely prefer an easier way to do this, one that doesn't involve approaching the NSA for anything it has collected or seeking court orders/ warrants to collect information from third parties. What it would like is as many communication platforms as possible to be open books, where all investigators have to do is a small amount of Googling -- or simply have full access to any account where it suspects discussions of illegal acts might be taking place.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ardit ferizi, doj, encryption, fbi, going dark, investigation, terror


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    David, 19 Oct 2015 @ 3:21am

    Not much of a surprise

    There is not all that much overlap between terrorists and security specialists/crackers and the respective (anti-)ethics don't have that much overlap either so there is no common basis of trust for mutual dependencies and reliance.

    As a result, 99% of the NSA and FBI Internet snooping budget and operation is not related to counterterrorism while 99% of its narrative is.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 19 Oct 2015 @ 4:56am

    Misread that headline as 'a future so dank' for a second there. Lol

    link to this | view in thread ]

  3. identicon
    Michael, 19 Oct 2015 @ 4:58am

    once a suspect is in custody, work can begin on forcing the person to cough up login info

    But then they wouldn't be able to drop bombs on them with a drone!

    link to this | view in thread ]

  4. identicon
    Glenn, 19 Oct 2015 @ 5:04am

    You can tell from the twitter name that he doesn't know much about how to secure anything.

    link to this | view in thread ]

  5. icon
    Richard (profile), 19 Oct 2015 @ 5:16am

    The elephant

    The elephant in the room is this.

    The possibility of secure encryption exists within mathematical logic and ways to achieve it are in the public domain.

    Any terrorist organisation capable of being a serious threat has to be presumed to be capable of making use of secure encryption - regardless of whether it is in fact built in to commonly used systems.

    Any terrorist or organisation that is not capable of creating its own version of well know secure encryption algorithms and hence only uses the most common public platforms will certainly make enough mistakes to be caught anyway - even if those platforms are secure - (or not be capable of any real threat),

    It follows that these protestations from the FBI etc are not really about anything other than budget and feelings of importance/control. With the added bonus of being able to spy on your enemies (in the political sense of the word)

    link to this | view in thread ]

  6. icon
    Richard (profile), 19 Oct 2015 @ 5:18am

    Torture?

    once a suspect is in custody, work can begin on forcing the person to cough up login info.

    Sounds awfully like you are advocating torture there - I hope your didn't mean it.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 19 Oct 2015 @ 5:58am

    Thank god the terrorists are too dumb to bomb a moving train or a power station...
    Strange how they are such a huge threat that everyone has to be spied upon but they never do more damage or kill more people than the cops.

    link to this | view in thread ]

  8. icon
    Not an Electronic Rodent (profile), 19 Oct 2015 @ 6:07am

    The other side of the coin

    So.... Twitter account name linked to IP address to email account name to facebook account name to exactly the person they want.
    Setting aside the encryption thing for a moment, 2 things seem obvious:

    1) Metadata is more than enough to identify and track both a person and their behaviour so claiming there's no problem hoovering up every bit of metadata is self-evident bull.

    2) The trail appears to have started at a Twitter account name linked to a specific act and not within the huge haystack of hoovered up data so said haystack would appear to have little use.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 19 Oct 2015 @ 6:11am

    His skills seem to be lacking , and not just a little bit.

    link to this | view in thread ]

  10. identicon
    children coding, 19 Oct 2015 @ 6:20am

    cannot Isis Alqaeda FBI CIA NSA code their own home cooked encryption algos? or a unique recipe combining the existing ones?
    what about wideband- software defined radio for short range communications?
    and cannot any kid set up their own raspberry/linux encrypted chat/email platform? and run common available secure chat apps on it from a gazillion of linux enabled cheap/china/untraceable devices?
    without long term memory? self erasing? untraceable?

    nowadays all this is doable by any electronics/it student/kid. gang, etc
    but the masses seem to insist in ignoring this technological reality,
    and politicians are to stupid to follow (or act likewise

    cannot everybody 3dprint/mill untraceable disruptive new undetectable weapons in his basement? hu?

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 19 Oct 2015 @ 6:24am

    I think the real story here is a successful terror bust by the FBI that wasn't cooked up by the FBI.

    link to this | view in thread ]

  12. identicon
    David, 19 Oct 2015 @ 6:25am

    Re:

    Ah, but the cops kill and ransack you for your own good.

    link to this | view in thread ]

  13. identicon
    Guardian, 19 Oct 2015 @ 6:51am

    @13

    wrong i retired after 33 years without getting caught
    and the pcs involved are long destroyed and gone...

    ENJOY

    link to this | view in thread ]

  14. icon
    That One Guy (profile), 19 Oct 2015 @ 7:13am

    Re:

    Minus the terror part anyway. 'Inept idiot of a hacker' I can see, but 'terror attack' or 'terrorist'? Not even close.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 19 Oct 2015 @ 7:19am

    I've been thinking of a new self-assembly product, let me know if anyone's already seen this but..

    I'm thinking I can tell people how to make a stick of charcoal at home and some white flat thin stuff, also made at home. The idea is that a person can use the charcoal stick to make markings on the white flat thin stuff, then hand it to someone else who knows how to decipher the markings. This way no-one has to talk using their cellphones or within distance of the ubiquitous microphones that we all have implanted in our houses these days. Do you think this will sell? Or will the gov ban it?

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 19 Oct 2015 @ 8:16am

    perhaps i'm wrong but i would have thought that someone who was 'up to no good' would go to extraordinary lengths to keep their identity secret. that doesn't really seem to be the case here. also, what was in the emails sent and received? was there anything that was subversive, threatening or harmful? maybe the best thing to do here is for the FBI to actually release emails that have been verified and contain something bad in them. if not, what is to say that this isn't another example of the FBI being full of shit and setting someone up? i seem to remember them doing this a time or two before!!

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 19 Oct 2015 @ 10:05am

    What gets these people in trouble is that they're glory hounds. Opening a Twitter account and claiming to be the owner of the Kosova Hacker’s Security group...

    Anonymous and LuLz Sec aren't much smarter. They have social media accounts too. Members of these groups have also been busted...

    Yeah lets open a social media account so the FBI can target that accounts with javascript and iFrame exploits when they log in using that specific user name.

    Glory hounds get fed to the sharks.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 19 Oct 2015 @ 10:24am

    Say what you will about a certain TD troll, but at least he knows how to use Tor to change his IP address until his nonsense gets posted in the comments. Blue: the FBI's greatest fear.

    link to this | view in thread ]

  19. icon
    Uriel-238 (profile), 19 Oct 2015 @ 11:36am

    Re: Torture?

    That does sound like the $5 wrench treatment. I suspect we're more resigned to the fact that Law Enforcement's been beating people up to squeal for centuries now, and they don't show any sign of slowing down.

    link to this | view in thread ]

  20. icon
    Richard (profile), 19 Oct 2015 @ 12:15pm

    Re: Re: Torture?

    fact that Law Enforcement's been beating people up to squeal for centuries now,
    Well actually, in general, in the real world as opposed to tv/film, they don't do that because it doesn't work - and even if it does it is unlikely that the evidence would be usable in court.

    This has been well known in British Intelligence since at least WW2 (http://www.rense.com/general95/clever.html) - and in Britain this is now reinforced by the recording of all interviews for around 40 years. As regards the US - I offer the second half of this well known youtube video: "Don't talk to the Police" https://www.youtube.com/watch?v=6wXkI4t7nuc
    and this link http://www.cbsnews.com/news/secret-wwii-camp-interrogators-say-torture-wasnt-needed/

    Even the Nazis knew better than to use torture:
    https://en.wikipedia.org/wiki/Hanns_Scharff

    link to this | view in thread ]

  21. icon
    Richard (profile), 19 Oct 2015 @ 12:17pm

    Re: Re: Re: Torture?

    Sorry - first link didn't come out right:

    http://www.rense.com/general95/clever.html

    link to this | view in thread ]

  22. icon
    Uriel-238 (profile), 19 Oct 2015 @ 1:04pm

    Unlawful Enemy Combatants

    I know they're supposed to know better, but recent revelations including the Cook County black site used by the Chicago PD seems to indicate that it's done otherwise, regardless of whether or not it works.

    As to whether it's admissible, common practice has already been demonstrated for police officers to simply lie about their methods in court, usually backed up by three or four of their colleagues as witnesses.

    That this is common practice and is not just the methods of a few bad players has been the subject of a number of reports already. So yeah, if you're given the $5 wrench treatment, you can be sure that several officers will be ready to contest that you volunteered your password information so that your electronics could be unlocked.

    It may not work. It may be a violation of rights. It may even be regarded as heinous by the public, but that doesn't mean it's not done. Routinely.

    Ahmed Muhammed (the clock kid) was isolated from parents and legal council for hours while his principal and local officers tried to wring from him a confession. The incident is exemplary of how we regard people who look like terrorists (as we imagine them to be) as less than people (even assigning them the label Unlawful Enemy Combatants so that we can deny them life, liberty and property as if they weren't human beings.

    That should sound dangerously familiar. It's not like we've seen countless incidents like this before.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 19 Oct 2015 @ 1:49pm

    Re:

    Please do not summon the beast. It hasn't been seen, by me anyway, in a long time.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 19 Oct 2015 @ 2:23pm

    Comey looks for criminals under lamp-posts

    cuz it's not dark there.

    link to this | view in thread ]

  25. icon
    Richard (profile), 19 Oct 2015 @ 4:18pm

    Re: Unlawful Enemy Combatants

    I'm not denying that it 's done, I'm not even denying that it's quite common,I'm not even denying that has become standard practice in some places from time to time. However I am denying that it is the norm.

    The problem with most of the examples that you give is that we know about them because they are newsworthy - and by definition that implies that they are unusual and therefore not the norm.

    (I do however think that the US practice of plea bargaining is a terrible incentive for bad behaviour by interrogators and I'm happy that we don't have it here in the UK to anything like the same extent)

    That this is common practice and is not just the methods of a few bad players has been the subject of a number of reports already.

    Can you provide links for this?

    Ahmed Muhammed (the clock kid) was isolated from parents and legal council for hours while his principal and local officers tried to wring from him a confession.

    Again - a one off case - hence we know about it - and indicative of how things go wrong when people who are not properly trained for this type of work (although perhaps they should have been) go over the top on the basis of what they have seen on TV.

    The incident is exemplary of how we regard people who look like terrorists (as we imagine them to be) as less than people

    That is a spin that has been put on the incident by people who are tryng to reinforce a certain political line. The facts don't actually support that aspect of the incident in this case. Given the stupid, over the top, "zero tolerance" approach adopted by some schools I am pretty sure that exactly the same thing would have happened to any pupil, regardless of race, or religious implications of the sound of his name.

    Having said that, I do agree with you about the "enemy combatants" thing - it was appalling - but this incident is completely unrelated to it.

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 19 Oct 2015 @ 5:06pm

    Make everyone a criminal then its easy to say you caught a terrorist or insert whatever buzzword they currently use.

    I still prefer the term Undesirable number 1.

    Personally I think our leaders are the terrorists. But what do I know.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 19 Oct 2015 @ 7:36pm

    You guys should know that criminals are not necessarily brilliant. The smarter ones become politicians but they also forget to protect their private e-mail server used for official communications. lol

    Using specialized gear? Creating your own crypto? Well, the NSA and the FBI and the CIA have their nerds, but street gangs or middle-easterns are not exactly brilliant peoples.

    I don't know how many of you ever met a middle-eastern in person, but if they will conquer the world one day it will be the only way they know, the way of the cochroach.

    You guys should be pissed off by our governments using the cochroaches as a menace to force us to accept big brother. Simply kick out the cochroaches and 99% of the turrism problem will disappear.

    link to this | view in thread ]

  28. icon
    Richard (profile), 20 Oct 2015 @ 7:31am

    Re:

    they are such a huge threat that everyone has to be spied upon but they never do more damage or kill more people than the cops.

    See , it works!*


    (Just like the elephant repellant I bought a couple of years ago.)

    link to this | view in thread ]

  29. icon
    tqk (profile), 20 Oct 2015 @ 10:34am

    Re: Torture?

    once a suspect is in custody, work can begin on forcing the person to cough up login info.

    Sounds awfully like you are advocating torture there ...

    Or, just typical prosecutorial piling on of ancillary charges suggesting you'll be locked away forever if you resist.

    link to this | view in thread ]

  30. icon
    tqk (profile), 20 Oct 2015 @ 11:10am

    Re: infosec

    in my limited infosec experience, people are stupid and above all lazy

    I'd say they're ignorant (lacking knowledge) and lazy. Stupidity is just what keeps them ignorant. Not understanding that "social media" is talking to the world plus dog? That's pretty ignorant of what their tools are really doing, and their laziness leverages their stupidity to not bother to rectify this. This guy's a classic case of shooting oneself in the foot.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.