Microsoft Sues Government Over Its ECPA-Enabled Gag Orders

Documents Show FBI Deployed Software Exploits To Break Encryption Back In 2003

from the and-privacy-and-security-for-none... dept

Fri, Apr 15th 2016 3:31am — Tim Cushing

Documents FOIA'ed by Ryan Shapiro and shared with the New York Times shed some new light on previous FBI efforts to break encryption. Back in 2003, the FBI was investigating an animal rights group for possibly sabotaging companies that used animals for testing. The FBI's Department of Cutesy Investigation Names dubbed this "Operation Trail Mix," which I'm sure endeared it to the agents on the case. At the center of the investigation were emails the FBI couldn't read. But it found a way.

They persuaded a judge to let them remotely, and secretly, install software on the group’s computers to help get around the encryption.

That effort, revealed in newly declassified and released records, shows in new detail how F.B.I. hackers worked to defeat encryption more than a decade before the agency’s recent fight with Apple over access to a locked iPhone.

The documents don't detail what the exploit was, but it targeted PGP -- the encryption method used to keep the group's communications private. The FBI was able to obtain a "full access" warrant to grab every communication, but that did nothing to decode the scrambled emails. The documents don't specify what the FBI used, but language suggests it either copied the decryption keys or deployed a keylogger to snag passwords.

Either way, it apparently was the first time the FBI had deployed its own malware.

“This was the first time that the Department of Justice had ever approved such an intercept of this type,” an F.B.I. agent wrote in a 2005 document summing up the case.

The secrecy surrounding the FBI's tactics was nearly absolute. The wiretap order was disclosed to the defense but not the use of an exploit/keylogger. On top of that, the DOJ never mentioned the FBI's efforts in its 2002 and 2003 annual reports, despite being required to report any instance where it runs across encryption during a wiretap investigation.

Not that the DOJ and FBI's lack of transparency harmed their case. It resulted in six convictions, and a higher court basically said the use of encryption was suspicious in and of itself.

An appeals court upheld the convictions in 2009, and said that the use of encryption, among other things, was “circumstantial evidence of their agreement to participate in illegal activity.”

What the documents do show is that the FBI has been in the fight against encryption for a long time and in the business of deploying malware and exploits without judicial oversight for about as long. What has changed is that it's now openly fighting encryption by trying to force compliance throught the use of All Writs Acts. It's also deploying a variety of exploits that can -- with a single warrant -- access info about any computer/device visiting a website.

It may be more open about its intents and tool usage now, but that's not because it's gained new respect for things like due process and accurate warrant applications. It's doing this now because it needs an upper-level court ruling in its favor to basically excuse the things it's been doing in secret for years, as well as give it the permission it needs to continue to undermine encryption in the future.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: animal rights, cracking, encryption, fbi, hacking

17 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 15 Apr 2016 @ 3:49am

... and so what?
[ link to this | view in chronology ]
Anonymous Coward, 15 Apr 2016 @ 3:59am

Slow news day?
[ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

american fuckwits cunts holes, 15 Apr 2016 @ 5:25am

american fuckwits cunts holes
american fuckwits cuntholes
[ link to this | view in chronology ]
AJ, 15 Apr 2016 @ 5:32am

"They persuaded a judge to let them remotely, and secretly, install software on the group’s computers to help get around the encryption."

I'm so sick of our Government. Partisan politics aside, who in their right mind believes that MORE government is better? That more regulation is better? Look at what they do when we give them power... LOOK AT IT! You think checks and balances are working? They Judge shop until they find one that will sign off on their bullshit. It's a complete joke. They are completely out of control.

We need a new party. One that promotes less Government, more over-sight (and over-sight with real teeth). One that even with less Government and regulation, is still able to maintain some type of social responsibility that promotes employment and growth, instead of status quo promoting subsidies and entitlements.
[ link to this | view in chronology ]
- Wendy Cockcroft, 18 Apr 2016 @ 5:45am
  
  Re:
  We need a new party.
  
  There are loads of new parties. Pick one and vote for it instead of wetting your pants over the possibility that either Bad or Worse will get in. Is there a Pirate Party in your state?
  
  One that promotes less Government, more over-sight (and over-sight with real teeth).
  
  Erm, a government is required to do all that; private enterprise won't. Besides, "government" is usually dog whistle for "social programs." Decide on what "government" actually means before declaring that you want less of it.
  
  One that even with less Government and regulation, is still able to maintain some type of social responsibility that promotes employment and growth
  
  In many of the Red states on your side of the Pond they're leaving it to private enterprise to do all of that. Surprise, surprise! It seems that there are strings attached to receiving assistance, from private enterprise, particularly religious groups.
  
  instead of status quo promoting subsidies and entitlements.
  
  There will always be subsidies and entitlements of one kind or another. Please bear in mind that "entitlement" is dog whistle for "welfare" when it actually means "earned benefits," i.e. it's been paid for by the individual's taxes.
  
  And you can't live without government of some kind or another unless you are willing to live completely off the grid.
  
  http://capx.co/private-cities-a-disruptive-technology-for-the-state-market/
  [ link to this | view in chronology ]
  - John Fenderson (profile), 18 Apr 2016 @ 7:43am
    
    Re: Re:
    I agree 100% that we need viable parties aside from the Rs and Ds. Unfortunately, election laws are set up to make it essentially impossible.
    
    So step 1 has to be to change those laws, but changing those laws is something that both the Rs and Ds would join hands and fight with everything they have.
    [ link to this | view in chronology ]
Rotanev, 15 Apr 2016 @ 5:42am

Welcome, fellow criminals.
An appeals court upheld the convictions in 2009, and said that the use of encryption, among other things, was “circumstantial evidence of their agreement to participate in illegal activity.”

If you're reading this on Techdirt, guess what, you're now a criminal. The page is encrypted.
[ link to this | view in chronology ]
Anonymous Howard, 15 Apr 2016 @ 5:43am

We can't see what you're doing so you must be up to no good
An appeals court... said that the use of encryption, among other things, was “circumstantial evidence of their agreement to participate in illegal activity.”

Holy. Fucking. Shitballs.
[ link to this | view in chronology ]
- Anonymous Coward, 15 Apr 2016 @ 6:32am
  
  Re: We can't see what you're doing so you must be up to no good
  Also considered circumstational evidence: curtains, walls, anything opaque.
  [ link to this | view in chronology ]
klaus (profile), 15 Apr 2016 @ 5:47am

and said that the use of encryption, among other things, was "circumstantial evidence of their agreement to participate in illegal activity.”

Beyond weak. It's also evidence of a thousand other things, none of which is illegal.
[ link to this | view in chronology ]
Richard (profile), 15 Apr 2016 @ 6:33am

I can't wait to see TD's post about this:
http://motherboard.vice.com/read/rcmp-blackberry-project-clemenza-global-encryption-key-canada
[ link to this | view in chronology ]
- John Fenderson (profile), 15 Apr 2016 @ 7:05am
  
  Re:
  Blackberry's security problems were revealed a number of years ago. By coincidence(?), their domination of the smartphone industry ended within a year of that.
  [ link to this | view in chronology ]
- Anonymous Howard, 15 Apr 2016 @ 7:19am
  
  Re:
  Is it any surprise that Blackberry is struggling to keep its head above the water?
  
  I don't like touchscreens - don't know if there's something wrong with my fingers, but they never seem to work very well - and I would prefer a phone with a physical keyboard and trackpad. But the lack of security on BB devices is a big problem.
  [ link to this | view in chronology ]
Anonymous Coward, 15 Apr 2016 @ 7:41am

laws are for the slaves
[ link to this | view in chronology ]
- Uriel-238 (profile), 15 Apr 2016 @ 12:42pm
  
  Laws are for the affluent.
  If you are rich enough to hire a proper defense and prevent your meager assets from being seized entirely then you get to work within the framework of the law.
  
  If you don't have those, or your resources are successfully seized, then there's nothing for you but plea-bargains and bullets.
  [ link to this | view in chronology ]
Anonymous Coward, 15 Apr 2016 @ 9:10am

Zebra Tactics
Phil's been singin' ONE major song since he first developed PGP: If everybody uses encryption, nobody stands out from the herd SIMPLY for using encryption. We ALL need stripes.
[ link to this | view in chronology ]
Matthijs Koot, 15 Apr 2016 @ 12:41pm

Magic Lantern?
> The documents don't detail what the exploit was, but it targeted PGP (...) Either way, it apparently was the first time the FBI had deployed its own malware.

Sounds a bit like Magic Lantern, the FBI-built trojan that reportedly got activated when a suspect uses PGP encryption?

https://en.wikipedia.org/wiki/Magic_Lantern_%28software%29
[ link to this | view in chronology ]