DOJ Proposal Would Let FBI Hack Into Computers Overseas With Little Oversight
from the freedom?-what-freedom? dept
Ahmed Ghappour, over at JustSecurity, alerts us to a rather frightening proposal from the Justice Department that would enable law enforcement to hack into the computers of people who are trying to be anonymous online. At issue is that current rules basically would extend the powers granted for terrorism investigations to everyday criminal investigations, concerning specifically the DOJ/FBI’s ability to hack into computers. In the past, judges could issue warrants for such computer hacking if the target was known to be located in the same district. But the proposed change would wipe out that limitation, and basically give the DOJ/FBI the power to get approval for hacking into a much broader range of computers. Without the geographical limitation, there’s concern about just how broadly this new power would be (ab)used:
The DOJ proposal will result in significant departures from the FBI?s customary practice abroad: overseas cyber operations will be unilateral and invasive; they will not be limited to matters of national security; nor will they be executed with the consent of the host country, or any meaningful coordination with the Department of State or other relevant agency.
Under the DOJ?s proposal, unilateral state action will be the rule, not the exception, in the event an anonymous target ?prove[s] to be outside the United States.? The reason is simple: without knowing the target location before the fact, there is no way to provide notice (or obtain consent from) a host country until after its sovereignty has been encroached.
Without advanced knowledge of the host country, law enforcement will not be able to adequately avail itself to protocols currently in place to facilitate foreign relations. For example, the FBI will not be able to coordinate with the Department of State before launching a Network Investigative Technique. This puts the U.S. in a position where a law enforcement entity encroaches on the territorial sovereignty of foreign states without coordination with the agency in charge of its foreign relations.
In short, every new criminal investigation by the FBI will open up the possibility of a diplomatic nightmare and embarrassment. But, really, who cares when there are criminals to go after, right?
When a state?s sovereignty is encroached upon, its response depends on the nature and intensity of the encroachment. In the context of cyberspace, states (including the United States) have asserted sovereignty over their cyber infrastructure, despite the fact that cyberspace as a whole, much like the high seas or outer space, is considered a ?global common? under international law.
[….] Given the public nature of the U.S. criminal justice system, it is hard to see how the FBI will avoid risk of prosecution (similar to that in the Chelyabinsk incident) if the DOJ proposal is approved.
The Chelyabinsk incident refers to involved Russia filing criminal hacking charges against the FBI for the FBI logging into a Russian server, seeking evidence against some Russian hackers.
And, of course, there are other issues with the proposal as well — as you’d expect any time you see law enforcement seek to move anti-terrorism tools over to standard crime-fighting. For example, the current proposal could authorize questionable hacking techniques by the FBI. Ghappour suggests that if the DOJ really wishes to push forward with such a proposal, it needs to clearly limit the techniques that are allowed:
The Rule should not authorize drive-by-downloads that infect every computer that associates with a particular webpage, the use of weaponized software exploits in order to establish ?remote access? of a target computer, or deployment methods that risk indiscriminately infecting computer systems along the way to the target. Nor should the Rule authorize a ?search? method that requires taking control of peripheral devices (such as a camera or microphone).
There are other suggestions, of course. As it stands, the proposed amendment allows the FBI to use a wide array of invasive (and potentially destructive) hacking techniques where it may not be necessary to do so, against a broad pool of potential targets that could be located virtually anywhere.
Of course, why would the DOJ ever limit itself when it has the chance to get access to an even more powerful tool for hacking into anyone’s computers?
Filed Under: anonymity, cooperation, diplomacy, doj, fbi, hacking, overseas, tor
Comments on “DOJ Proposal Would Let FBI Hack Into Computers Overseas With Little Oversight”
Yet another government agency making America less safe
I wonder if anyone at the DOJ or FBI has paused long enough(5 seconds should be plenty) to realize that if this goes through, and they act upon it, they’ll have basically declared world-wide open season on any US computers or systems that any other country wants to ‘investigate’. I mean, if the FBI and DOJ are going to operate on a ‘shoot first, look into getting permission only if you get caught’ method, then they’ll have pretty effectively eliminated the government’s ability to be taken seriously if some other country does the same to the US.
Unfortunately, I’m guessing that even if they have realized this, they just don’t care, because the hacked/infected/compromised computers aren’t likely to be their computers, so why should they worry, they’ll just use US computers getting hacked as ‘evidence’ that they need more power to ‘fight the increasing threat of cyber attacks!’
Re: Yet another government agency making America less safe
they’ll have basically declared world-wide open season on any US computers or systems that any other country wants to ‘investigate’.
Just so. Foreign investigators would have little trouble justifying investigations into American public officials related to more than 100 “extraordinary renditions” from EU soil alone, plus many more around the world. They would have little trouble justifying investigations into the many US companies now linked to NSA spying and hacking. Or banks and investment firms tied to the 2008 collapse. And there are the usual mundane anti-trust, environmental violations, kick-backs and other crimes.
As always, turn-about is fair play.
Re: this is the jungle
they’ll have basically declared world-wide open season on any US computers
Yep, and along the NSA mischiefs the chinese and russian hackers can’t be blamed anymore. Try to cover all your holes, this is the jungle.
Re: Yet another government agency making America less safe
You’re right on all points; let me add a few of my own.
1. “Where is a computer located?” is a non-trivial question with decidedly non-trivial answers. If I am in country A and I establish a VPN connection to a termination point in country B, then I am, for all functional purposes, on a network in country B and my traffic is indistinguishable from that of hosts which physically connected to that network. (That’s kind of the point of VPNs, after all.) So is my computer in country A or country B? And how would a third party know which?
2. Of course even if definitive knowledge to the question posed in (1) is available, that doesn’t mean that the answer will remain the same indefinitely: there are these things called “laptops” and “tablets” and “mobile phones” and “portable devices” that may move across multiple national borders in a single day. So while country C might not really care that a citizen of country D had her laptop hacked while on their soil, when she goes home to country D, they might.
3. Distributed operations are reaching the point where it’s not really possible to say where a particular (virtual) host actually is or where a particular (virtual) data store is, or for those answers to have persistent meaning. It’s entirely possible for a targeted system in country E to actually be in country F by the time the hack is done.
4. There’s no such thing as a backdoor that only works for the first person to open it. This actively weakens the security of any targeted system in country G, which by the way includes the enemies of country G, who are occasionally also the enemies of the US. I’m sure those adversaries will be delighted to find that the FBI is making their lives easier.
5. One of my favorite sayings is from Isaac Asimov’s character Salvor Hardin, who appears in “Foundation”: “It’s a poor atom blaster that won’t point both ways.” If the FBI pursues this course of action, then they should expect to have the favor returned by any country with the resources to do so. At least one of those countries has already shown enormous sophistication in its attacks and also enjoys an arbitrarily large manpower advantage.
6. This clearly eliminates the FBI as an investigative agency for domestic incidents, since it can no longer be established that they weren’t the ones responsible. How can anyone trust them to investigate honestly when — if evidence emerges that the FBI itself is culpable — they will surely suppress that evidence?
Re: Re: Yet another government agency making America less safe
These are good points however on the first one is a little bit incorrect and everyone should be aware of it. Even if you use a VPN they can still tag your traffic. When it comes out the endpoint on its way to the internet and back it will be captured unencrypted, At this point they fingerprint the browser data sent with the GET request and measure the size and timing of the packets on either end of the tunnel to see who is who.
Its not only possible its easy at this point. The only way this is defeated is by using tor, or something like scramblesuit with OpenVPN which is a TOR pluggable transport, it randomizes the traffic fingerprint and inter arrival times of packets. The other way to make yourself safer is to ensure you are using end to end encryption so that when your traffic comes out of the VPN endpoint it is still encrypted, however packets length and arrival times can still be measured.
Re: Re: Re: Yet another government agency making America less safe
You’re partially right about this, but you make two assumptions which aren’t necessarily true: (a) that traffic emerging from the far side of the VPN tunnel will traverse the Internet and (b) that a web browser is in use.
I use VPNs all the time in situations where neither of those is true: in fact I’m using one right now which terminates on a host which can’t reach the Internet.
As to the packet length/timing distinguishing making traffic distinguishable: yep. I tend to think future improvements in VPN technology will make that more difficult, but that might be just wishful thinking on my part.
Re: Re: Re:2 Yet another government agency making America less safe
It’s easy to avoid size and timing fingerprinting, if you aren’t concerned about wasting bandwidth (the tor project is concerned about wasting bandwidth, which is why they don’t do it).
To avoid size fingerprinting, always pad your data packets to a fixed maximum size.
To avoid timing fingerprinting, use a leaky bucket to pace your packets (so the inter-packet timing is always the same), and send an empty packet (still padded to full size) when you don’t have any real data packet to send.
Both measures together turn your VPN channel into a fixed-bandwidth channel, from which no size or timing information can be extracted. The only leak left is an active denial-of-service attack (flood the source endpoint, watch the target endpoint stop sending cleartext traffic), or its accidental version (wait for a fiber cut breaking the VPN channel, see what cleartext traffic stops showing up in the other end).
Damn Communists! Hack ’em all! Communism is going to destroy America!
Nope. The FBI’s remit is supposedly internal. Allowing them to illegally access sensitive invormation is actively worse than letting the actual criminals obtain that info, because these criminals think they’re above the law.
And as for the clown who recommeded this in the DoJ, he should be arrested for treason on the basis of these actions, given that they could easily be considered a casus belli for any country that doesn’t like this. Because at least the Russians and the Chinese have a degree of plausible deniability.
And when you have less morality than the Chinese Government, you know you have severe and dangerous issues.
Not good suggestions
It seems that a lot of Ghappour’s suggestions are just rephrasings that can be interpreted the same way as what the DOJ is actually proposing.
The Rule should not authorize:
drive-by-downloads – Already deployed against Tor users
indiscriminately infecting computer systems along the way to the target – Stuxnet in Iran
taking control of peripheral devices (such as a camera or microphone). – DROPOUTJEEP for iPhone
Looks like the DOJ already has all the boxes checkmarked.
Open invite
This will be an open invitation to cyber terrorists and hackers world wide. I can smell the honey pots cooking already, no more excuses needed have at it.
Question
Based on all of the revelations about the NSA and other agencies and their spying capabilities and tendencies, isn’t it entirely possible that this is already happening?
Most of what the NSA and other agencies do is justified after the fact, through secret legal memos and secret court decisions, that go back and retroactively justify what is going on.
Because we now see the DOJ asking permission, isn’t it likely that this has been going on for some time, and their just now making it “legal?”
Re: Question
“isn’t it entirely possible that this is already happening?”
Not just possible, but very certainly. The NSA does this.
“Because we now see the DOJ asking permission, isn’t it likely that this has been going on for some time, and their just now making it “legal?””
It’s already “legal” for the NSA to do this. I think what’s happening here is that the FBI wants the same power.
Re: Re: Question
Yes, the NSA already has broad spying powers. And the CIA. Now the DoJ and the FIB want some.
Shouldn’t the local Ferguson PD also be allowed to do international hacking in order to determine what other, additional illegal activities a Ferguson MO citizen is engaging in if they are anonymous? The crime of being anonymous online should be more than probable cause.
Re: Re: Re: Question
What was your last name again?
And I can’t seem to see your face in that profile picture, there is a big shadow over it.
Ah, don’t worry about it, “DannyB.” With this fancy new software the DOJ is asking for permission to use (Which we have been using for the last two years anyway), we can just turn on your webcam and get a well lit photo ourselves. Don’t want to inconvenience you at all.
Oh, and just to make sure the laptop isn’t stolen (there’s your investigation!), we’ll just access your internet history and track which router your MAC address accessed the internet from, and cross-reference that with the names of people living on the street. No need to provide your last name – again, we don’t want to inconvenience you.
By the way, what ISP do you use? We’d like to streamline the process – wait, I bet it’s either Comcast, AT&T, or Verizon. No worries, we’ll take it from here.
Any questions, “DannyB?”
Re: Re: Re:2 Question
I should have put a sarc tag.
Re: Re: Re:3 Question
As soon as I hit “Submit” I thought “Wait a second….”
Re: Re: Re:4 Question
You’ll notice I said FIB instead of FBI.
Re: Re: Re: Question
I sense snark in your comment, but just in case…
“Shouldn’t the local Ferguson PD also be allowed to do international hacking in order to determine what other, additional illegal activities a Ferguson MO citizen is engaging in if they are anonymous?”
No.
“The crime of being anonymous online should be more than probable cause.”
Being anonymous online is not a crime and it’s a pretty huge stretch to call it probable cause of anything. Most people I personally know try to maintain online anonymity, and none of them are breaking laws (that I know of — at the very least, their desire for anonymity has nothing to do with any such lawbreaking.)
DOJ Proposal? DOJ?
The DoJ thinks they are now the police force for the world? They think they can create a law here to allow them to do things in other countries? That making it legal here is going to shield them in those other countries? The DoJ believes they have jurisdiction over our military? The NSA is a military organization as they are under the Pentagon which is part of the DoD.
Re: DOJ Proposal? DOJ?
Disregard the NSA comment.
I should have referred to the FBI.
It is worth noting for many that the NSA is a military organization anyway.
We need to be prepared for all of the prefix-wars that we are firing the first shots in.
Dreifrontenkrieg all over again
The U.S. is declaring global cyberwar on every other nation.
It wasn’t any smarter when Hitler did it, but then if the U.S. had bothered to learn from history, it would not be where it is now.
Re: Dreifrontenkrieg all over again
You’ve forgotten your history. One of Hitler’s biggest supporters (before he turned on them) and heroes was the USA.
and yes I know verboten is used incorrectly.
America = Hypocrite
Hypocrites are usually the most hated types of people, but apparently it was never out of vogue for Nations and the USA has now OPENLY joined on that bandwagon.
Nothing is really new here guys, this is something that the USA and every other country has been doing all along… the difference is now that the self-righteous USA has decided to acknowledge that they have tossed their hat into the same camp as the rest of the bastard governments the world over.
Truly nothing new under the sun!
I think they’ve forgotten their jurisdiction
only covers the US, I’m not sure (and could be wrong) how they could be considered anything but hackers outside of US borders/ territories , If they gain access to a non US Persons computer.
https://en.wikipedia.org/wiki/Federal_government_of_the_United_States
What's the problem?
They’re only talking about hacking people who are committing the crime of being anonymous online.
None of us law abiding citizens would be guilty of that.
If you’ve got nothing to hide, you have no reason to be anonymous.
/s
Re: What's the problem?
Double irony points for being an anon while posting that.
sounds familiar
This sounds like something that Mudge talked about in his defcon talk “Defcon 21 – Unexpected Stories – From a Hacker Who Made It Inside the Government”
here is the link if you are interested:
http://youtu.be/h9wXq6oRBnI
First the Congress had to declare war. Then the President pulled in the ability to create de facto wars. Now the FBI wants that same ability without any accountability.
Does anyone doubt that Stuxnet would have likely started a war if it had been performed against a nation that had a chance of winning a war against the US — China for example?
But Iran is too weak, so they had to eat this offense.
If Cyberspace is like the Oceans then does that make the FBI equivalent to Somali Pirates ?
Re: Re:
Worse, they have the backing of US nuclear weapons if anyone should try to fight back.
This could involve placing malware or keylogging or virus type, software on target pcs, or foreign networks,
so you attack a whole network or isp cos 1 bad person might be using it.
The problem is this leaves back doors in the network which could be used by hackers or other persons to say steal id,s ,credit card info or financial info .
IT seems the usa is ready to go to cyberwar on any country ,or network,
in order to catch 1 suspect.
ITS not as if some us devices and software don,t have backdoors , built in to them already.
This is the software equivalent of bombing a school containing
children to kill 1 enemy .ie total overkill .
Re: Re:
This is the cyber equivalent to a drone strike? So what? The US government already engages in them.
Indirectly they are claiming they want the ability to hack the computers of US citizens while not saying so. All that is needed to make domestic computer users IDed as out of country is to put up a relay that bounces the data line of a US citizen to another country before it comes back to the US and bingo, everyone is foreign they are interested in.
Take one moment to think about how any law is stretched out of bounds to read it is legal and permissible under the present government attitude and you can not help but come to this conclusion.
could someone please tell me what right the DoJ thinks they have to hack into anyones computer whether inside or outside the USA? does it think it already has the go ahead to use USA laws everywhere? i know the USA is trying to do that but wasn’t aware that everywhere had been stupid enough to let it take over!!
smart ideas
they saying is smart crooks become cops
now I guess the smart hackers should join the DOJ or FBI
“we don’t need any stinking warrants or any of those what do you call them LAWS”
they tried this 15 years ago
and they got pwned and then rooted and a mug was made and sold in stores of the hack with the code on it at cafepress
dont be retards, and start us all weaponizing cause you fucktard americans are only 300 million of 7.1 billion
and yes i have the original mug photo thought about posting it form a personal webserver but why have myself get needlessly targeted by more fucktard americans
i swear your nation will be the death of humanity
SMARTEN THE FUCK UP
Re: they tried this 15 years ago
The irony is that this is the most stereotypically “American” sounding comment I’ve read in a long time.
Judge Shopping?
Am I misreading this as authorizing the FBI to go magistrate-judge shopping in any districts with connections to the Internet to get warrants for targets that may have committed a crime and have at some time in the past used anonymization software? In other words, everyone?