Documents Show FBI Impersonated Newspaper's Website To Deliver Spyware To Suspect's Computer
from the a-free-(and-exploitable)-press dept
Spend enough time staring at redacted documents liberated from secretive government agencies and you’re bound to miss a thing or two on the first pass. Chris Soghoian, technologist for the ACLU was browsing through some FBI documents [pdf link] obtained by the EFF and came across this:
In 2007, FBI sent malware via a link intended to look like a Seattle Times/AP story. https://t.co/Se9f0NXGd1 at pages 61-62.
— Christopher Soghoian (@csoghoian) October 27, 2014
In 2007, FBI sent malware via a link intended to look like a Seattle Times/AP story. https://www.eff.org/document/fbicipav-08pdf … at pages 61-62.
The documents date back to 2008 and were obtained by the EFF in 2011. What Soghoian caught fills in the blanks in this story from 2007.
FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News…
The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment.
The court documents didn’t detail how the FBI managed to install the weaponized payload on Glazebook’s computer. The emails obtained by the EFF, however, expose the electronic paper trail.
The CIPAV (Computer and Internet Protocol Address Verifier) made its way to Glazebrook’s system via a Myspace message sent by the FBI… which was impersonating the Seattle Times.
Is this really what we want our investigative agencies to be doing in the name of public safety? Soghoian says no.
“The ends don’t justify the means. I’m not saying that the FBI shouldn’t be investigating people who threaten to bomb schools. But impersonating the media is a really dangerous line to cross.”
The Seattle Times isn’t too happy, either. Editor Kathy Best says the paper is now “seeking answers” from the FBI. Best’s full statement on behalf of the Times is short, but deeply critical of the agency’s actions.
We, like you, just learned of this and are seeking answers ourselves from the FBI and the U.S. Attorney’s office.
But we are outraged that the FBI misappropriated the name of The Seattle Times to secretly install spyware on the computer of a crime suspect. Not only does that cross the line, it erases it.
Our reputation—and our ability to do our job as a government watchdog—is based on trust. And nothing is more fundamental to that trust than our independence from law enforcement, from government, from corporations and from all other special interests. The FBI’s actions, taken without our knowledge, traded on our reputation and put it at peril.
The FBI has already responded (somewhat) to Best’s statement, deploying the usual deferrals to public safety and agency investigatory procedures.
“Every effort we made in this investigation had the goal of preventing a tragic event like what happened at Marysville and Seattle Pacific University. We identified a specific subject of an investigation and used a technique that we deemed would be effective in preventing a possible act of violence in a school setting. Use of that type of technique happens in very rare circumstances and only when there is sufficient reason to believe it could be successful in resolving a threat. We were fortunate that information provided by the public gave us the opportunity to step in to a potentially dangerous situation before it was too late.”
TL; DR: The public should be counting its blessings rather than examining our questionable methods.
Taken at face value, Special Agent Frank Montoya Jr. is basically saying that the FBI will abuse its power (and the reputations of others) whenever it determines such methods to be necessary to achieve its goals. Not really a comforting idea at all, and one that basically confirms Soghoian’s suspicions: the ends will be used to justify the means, no matter how potentially damaging the means are.
Filed Under: bomb threat, fbi, impersonation, investigations, journmalism, malware
Comments on “Documents Show FBI Impersonated Newspaper's Website To Deliver Spyware To Suspect's Computer”
Hookay
So, the “Security” complex has undermined American tech (encryption/hardware intercepts), healthcare (fake vaccinations), and now media.
If they were agents of a foreign power they couldn’t do a better job.
This hits close to home for me. I used to live in Marysville. I didn’t go to the high school that got shot up last week, but I’ve got more than one sibling who did. And if the FBI managed to stop that from happening at another high school, yes we should be counting our blessings! That’s exactly what they’re supposed to be doing.
I really don’t see what Kathy Best is complaining about, to be honest.
How so? If someone did something bad while impersonating me, and no one knew about it, it has not harmed my reputation in any way.
If someone did something bad while impersonating me, and no one knew about it, and the first that anyone found out about it (including me!) was when it came out that I had been impersonated… this still has not harmed my reputation in any way, because everyone knows that it wasn’t really me who did it.
Seems to me the only possible way that such a scenario could harm my reputation is if it came out that I wasn’t being impersonated afterall, but that I had been complicit in doing the bad thing in question. But no one is even suggesting that that is the case, so I really don’t see Ms. Best’s point.
Congratulations and bravo to the FBI. Finally a bit of good news, after all the stupid crap they’ve been caught at lately!
Re: Re:
How so? If someone did something bad while impersonating me, and no one knew about it, it has not harmed my reputation in any way.
Because now everytime someone visits a page saying it’s from the Seattle Times site, they’ll wonder if they’re looking at a legitimate page, or some government plant. Should the government really get into the business of what is essentially phishing?
A government entity co-opting the identity of the press compromises the freedom of the press, regardless of reputation or outcome.
I think that should be seen as an unconstitutional act.
Re: Re:
While I agree that the “reputation” argument is perhaps overstated, I completely understand what they mean by that. From the point of view of the Seattle Times, they are probably thinking that links to ST stories will now be viewed with suspicion by default and are therefore less likely to be followed.
I think the real issue, though, is a bit larger. It used to be that people would feel the need to be cautious just when following links to “sketchy” or non-mainstream websites. This incident alerts people that they need to be cautious about links to any website at all.
From my security point of view, this isn’t a bad thing because people should be cautious about it in general (mainstream websites are occasionally a source of malware too, after all). But I understand why people running those websites would prefer their readers to not feel nervous about going to their site.
Re: Re: Re:
I disagree. People should be cautious with sites they don’t know, but clearly this was trading on a site the target would know and therefore trust.
That’s the problem, it now calls into question every site you visit…ever, even the ones you know are trustworthy.
Re: Re: Re: Re:
“People should be cautious with sites they don’t know”
And with sites they know. Sites (especially sites that carry ad-network ads) do get hacked to deliver malware. A legitimate site that is perfectly fine one day many not be the next, and the site’s operators may not even be aware of it.
Re: Re: Re:
And anyone who thinks that is an idiot. Do they really believe that the FBI would try the exact same thing again, now that everyone’s watching for it? The Seattle Times is probably one of the safest sits to visit right now, because that same trick can’t be used again.
Besides, have a close look at the document. The kid fell for one of the oldest phishing tricks in the book: he didn’t check the URL carefully. The site he got pointed to was not seattletimes.com, but nwsource.com, essentially a smaller, more local version of Craigslist. Someone at the FBI set up a page on there that would look like a newspaper site, but this does (or should do) nothing to make anyone leery of going to the Seattle Times site. From all appearances, at no time was seattletimes.com or the organization The Seattle Times hacked or compromised in any way.
Exactly. I first saw this about 10 years ago (don’t remember if it was 2003 or 2004) when my virus scanner’s web security started alerting me to malware on a fairly large, very legitimate site. A bit of research on my part showed it was coming in through banner ads. I alerted them to the problem, and at first they angrily denied serving malware. I responded, reiterating that this didn’t appear to be their fault at all, but the fault of their banner ad provider, and they actually looked into it and switched ad networks very quickly.
Again, no one has any reason to feel nervous going to their site. The whole point her is that this guy didn’t go to the Seattle Times site; he got phished into going to a site that was set up to look like it, but was hosted on a different server and under the control of the FBI.
Re: Re: Re: Re:
“no one has any reason to feel nervous going to their site”
Oh, I agree. I’m not saying that the ST’s characterization is correct, only that I understand why they feel that way.
Re: Re:
What happens when the same tactic is used for just Information about a particular group or person, If it was legit, why not use the proper channels with a warrant why did it take an independent entity to break the news, and how many times has this Illegal behavior been used. Security vs Rights.
Re: Re:
Nobody is saying that the FBI shouldn’t try to stop things like school shootings.
However, impersonating the Seattle Times is cheap, sleazy, lazy, unethical, and stupid. If that’s the best that the FBI, allegedly the nation’s top law enforcement agency, can come up with, then a whole bunch of people should be fired and blacklisted from police work for life.
Police work is hard because it’s supposed to be hard. We could make it easy for them by giving them unlimited power (something they keep grabbing for anyway) but we don’t, because we recognize that while it might result in temporary safety, the long-term result is disastrous for society. So we make it hard on purpose by imposing numerous restraints (e.g. “get a warrant”) and we accept that once in a while, one of those restraints will get in the way. So be it.
The people who choose to work in law enforcement should be keenly aware of that, and accept it. They should be doing police work — grinding, boring, relentlessly detail-oriented, careful, exacting police work — because that’s what they signed up for. Doing an end-around because it’s expedient is not only completely unprofessional, it endangers civil society far more than even the most deranged school shooter.
Re: Re:
“this still has not harmed my reputation in any way, because everyone knows that it wasn’t really me who did it.”
Except that now they know that things ‘from’ you could also be ‘from’ the FBI trying to trap them. They now trust communications ‘from’ you less. If you’re entire business is based on people trusting you via your website, yes you’ve been harmed. They aren’t going to visit your website because they know that links to your website could also be an FBI sting operation.
Re: Re: Re:
Yes, except that this was obviously not from the Seattle Times. Look at the URL. Anyone who knows anything about how the Web works can recognize that instantly as a phishing attempt. (And anyone who doesn’t, in this day and age, is too dumb to be using the Web… just like this kid, who walked straight into a transparent phishing attempt and got busted by the FBI. QED.)
If anything, the Seattle Times should seize on this and turn it into an opportunity to teach people how to recognize and avoid phishing attempts.
Re: Re:
I can see an argument, not that I necessarily agree with it, if they have done their due diligence and can convince a judge that a criminal act is being performed and they can’t catch the perpetrator without this act. However, it does seem likely that in this case they could (and should) also have first obtained a warrant for the myspace account, which would probably have obviated the need for this action.
This story reads like the investigators got to the first hurdle then said “the hell with it” and took an illegal and unnecessary shortcut. It’s only a short step from that to outright, if small, illegal behavior motivated purely by the investigators’ self interest and the fear is always there that this will simply get worse without any real check.
Re: Re:
First I just wanna say, I completely sympathize with your personal situation and do not fault you at all for your opinion.
BUUUUT the problem is that if nobody says anything, than it sets a precedent and basically lets the feds think they can do more shady shit in the name of terrorism and no one will have a problem with it.
The DEA was recently just caught using past defendants identities to make fake Facebook profiles so they could chat up their drug dealers in order to get them to incriminate themselves.
Where is the line?!
Re: Re: Re:
That’s simple. What the DEA did was identity theft, in actual fact if not necessarily in the legal sense (because there’s probably some law somewhere protecting them from it.)
What the FBI did does not involve taking over or compromising any resources owned by any third party. The Seattle Times was not harmed in any way. It was a straight-up, plain-vanilla phishing attempt like the ones you probably get a dozen of every day in your spam folder, and the kid fell for it.
Re: Re:
“How so? If someone did something bad while impersonating me, and no one knew about it, it has not harmed my reputation in any way.”
He said “put it at peril”, not “damaged it”.
This time, everything went extremely well and only the intended target was affected. That doesn’t happen every time as we well know. This was as targeted as it could have been, but the paper would have been left with the fallout if anything had gone awry. That’s what he’s talking about.
Re: Re:
Bit by bit is how our freedoms disappear. Giving a nod of “OK” to a little infringement on them will only lead to more. You took it a step further and flat condoned it. Please move to North Korea where your views will be appreciated.
One word I haven't seen yet.
Warrant?
Nail them for copyright infringement. They reproduced the story in full without permission.
…Remind me why the Feebs aren’t in jail from criminal hacking again?
…Oh, wait…
What's that link again?
The article is supposed to be about a bomb threat.
Why does the link include “webteensex”?
Re: What's that link again?
You’re trying to catch a teenage boy. webteensex seems pretty reasonable for the lure to use.
who?
“I’m not saying that the FBI shouldn’t be investigating people who threaten to bomb schools. But impersonating the media is a really dangerous line to cross.”
drug dealers
drug buyers
doctors
lawyers
terrorists
politicians
who doesn’t law enforcement impersonate?
The trick is to get them to START impersonating peace officers.
Re: who?
They already impersonate peace officers, the problem is that the impersonation doesn’t extent to acting like them.
The gestapos strike again
CIPAV
Whenever I see CIPAV, I think it is some sort of STD…
It’s worse than that. The FBI is saying it will do anything it wants if it thinks it could be effective.
Re-read the FBI’s justification:
That’s not specific to phishing or malware; it’s not specific to anything. It’s not limited by circumstances or employed with regard to constitutional or statutory guidelines. All it says is techniques will be used when the the FBI thinks there is sufficient reason to believe the techniques could be successful.
Feel free to fill in any “techniques” you want in that paragraph. I’m not always worried about slippery slopes, but I am when the FBI’s response to a legitimate concern is “we will position ourselves wherever we choose on the slope.”
Re: Re:
Huh. Rereading that, you know what words I don’t see? I don’t see “acceptable” or “justified” or anything even remotely related to that. You know what word I do see though? Effective. Apparently, that’s the only measurement for a law enforcement technique that is worth anything. So, I guess these days you don’t even have to try to justify your methods. All they need to do is “work”, in whatever loose definition you want to apply to that word.
Re: Re: Re:
Doesn’t have to actually work.
Re: Re: Re: Re:
“sufficient reason to believe it could be successful”
That is, “a hunch we might pull it off.”
At least this was targeted on a real suspect and not some mass “collect it all” mentality. Don’t make bomb threats and the FBI won’t try to infect your computer. Tricking one possibly dangerous individual into clicking on a link is not going to destroy the Seattle Times.
Re: Missing the point
Don’t have a name too similar to a wanted criminal and you won’t be subject to an unnecessary and dangerous “felony stop” (cops approach the car pointing guns at the driver, ready to shoot at the slightest provocation, in the name of officer safety, of course). Don’t look “suspicious” (law enforcement definition) and you won’t be subject to an unconstitutional search. Don’t look like you’re trying to avoid looking suspicious. Don’t share an Internet (or e-mail or MySpace or …) account with someone who might be one of these things and you won’t get caught in the middle. Do I need to go on?
Re: Re: Missing the point
I’m not even beginning to defend all the mistakes and abuses that do happen. It does appear that in this one situation that this guy was a already strong suspect. They did arrest the right person. They has no reason to not believe that the threats may be credible and kids could die. Couldn’t that fall under the category of exigent circumstances”? If the police arrive at a scene and they hear gunfire or someone screaming for help they don’t need a warrant to kick in the door.
Re: Re: Last I checked "suspect" means a POTENTIAL criminal.
Essentially you, I and everyone on this site are suspects for every crime ever until we are ruled out.
They’re attacking the computer systems not of someone who committed a crime, but someone the FBI thinks might have committed a crime. They don’t know.
And suspicion is cheap these days.
Re: Re: Re: Last I checked "suspect" means a POTENTIAL criminal.
There can be degrees of certainty about the guilt of a suspect. Sure, even you or I could technically be a potential suspect but with zero evidence it is extremely unlikely we would be investigated. It sounds like they were already certain they were on exactly the right track and they just needed one last piece to identify him. They could have potentially been looking at another Oklahoma City here. If you had a kid attending that school would you be so quick to condemn what they did? Columbine could have been many times worse had the propane bombs not failed to detonate. If 100 kids died in a school bombing would you have been so glad if the FBI did not potentially violate anyone’s rights? I think the government is wrong in many of their tactics so much of the time but in this one case they did what needed to be done when they were facing a real possibility of a major terrorist attack. Can you suggest another way they could have quickly identified the suspect without pushing any possible legal boundaries? Police are allowed to use deception to identify or incriminate a suspect. At trial it up to the defense to determine if rights were violated.
Re: Re: Re:2 Last I checked "suspect" means a POTENTIAL criminal.
Disclaimer: I have no opinion on whether or not what the police did here was justifiable, and am not making an assertion either way. But, this jumped out at me:
“Sure, even you or I could technically be a potential suspect but with zero evidence it is extremely unlikely we would be investigated.”
…unless we’ve said or done something that has made someone with power angry, or are a member of a socioeconomic class, nationality, race, creed, etc., that they don’t like.
Re: Re: Re:2 We don't have degrees of suspicion.
In our justice system, we have degrees of proof, but there is no delineated meter of suspicion nor a definition of what exactly reasonable suspicion means, and our law enforcement has already demonstrated that they cannot be trusted with leaving such definitions to the intuition of individual officers. The clear preference of non-whites when selecting targets of the NYC stop-and-frisk program illustrates this problem.
Sure, we could have more killing rampages, or those that have occurred could have been worse but even if the incident statistics of these increased, they are, by magnitudes, far removed from greatest dangers to human health and welfare, and we put much less recourse into fixing those problems that are (such as reforming health care, eliminating poverty and hunger, etc.) so arguing that letting Law Enforcement destroy our lives, property and trust for our own good is intellectually dishonest.
Yes, police are allowed to use deception to identify or incriminate a suspect, to the point that we get far more false positives than true ones. When we falsely incriminate (which our DoJ is ravenous to do in today’s political clime), everyone in prison becomes a political prisoner, even those we know who committed political crimes. The only fair grounds by which a justice system can legitimately mete out rulings and penalty in violation of human rights is due to its thoroughness in determining the truth.
And they don’t. Repeatedly.
In the 70s the US averaged about 500 SWAT raids a year for hostage-barricade situations. In 2013 we had about 50,000, most on houses innocent of any crime that might warrant a SWAT raid. In those, many people, including children are getting murdered by the police. We have evidence that the police cannot be trusted with powers they have, and that they have no regard whatsoever for the innocent civilians whose lives they affect.
Re: Re: Re:3 This is what I get for posting before coffee...
… When we falsely incriminate (which our DoJ is ravenous to do in today’s political clime), everyone in prison becomes a political prisoner, even those we know who committed heinous crimes…
On Bastille day, the pot smokers, rapists, serial murderers and hactivists all walk, alike. If half of them are innocent, the problem with a corrupt justice system is we don’t know which half.
Re: Re: Re:3 We don't have degrees of suspicion.
“We have evidence that the police cannot be trusted with powers they have, and that they have no regard whatsoever for the innocent civilians whose lives they affect.”
That is, pretty much, a working definition of a Police State.
Under such circumstances, regardless of the nation in which it occurs, the public is the enemy and the Police are the Soldiers, so in truth, no quarter and no mercy being shown to the enemy by such soldiers in such an undeclared war, is to be expected.
In other words, under the current Regime, the American Police Forces are doing an exemplary job.
When is a URL a Trademark?
Finally, a case of what would seem to be actual trademark infringement, and it’s coming from our friendly national-IP-enforcement agency. Maybe they can also sell their own Apple iPhones minus the encryption, or bottle their own Coca-cola so suspects ingest tracking devices.
Parallel construction?
It’s not easy to infect a computer with malware.
First, the user has to click on a link or do something stupid like visiting a website with Javascript or Flash enabled.
If the user runs Linux and his browser inside a hardened vm, I can’t see how the FBI has gotten software on his computer.
Did the user run Linux or did he do something stupid?
if not, maybe parallel construction is a possibility.
Endangerment
Huh, so if the CIA begins to use your name, picture and likeness or that of your children to issue false passports, you wouldn’t think it would be harmful?
Are they mad about the impersonation, or are they angry that they weren’t given special access in exchange for it. It seems to be how the media works now, report what we want, how we want or we’ll cut off your access to information to report on.
Here's the gist:
So the argument is not “this was legal” or “we bothered getting a warrant” or “there was any attempt of judicial oversight or heeding the law” but rather “well, it worked”.
The problem with that is the only reason we got to hear of it is because it worked. Since the FBI doesn’t bother following the warrant requirements, this could be a lucky shot among millions that did not work. Maybe they are shooting everybody preemptively anyway and dig out the dirt whenever they need it.
That would explain why they would not bother getting a warrant even in such cases. Would be after the fact anyway.
Actually, there is precious little information about who else got bugged in the process of this investigation alone. Perhaps the number of compromised computers is such that no judge would have signed off on a warrant anyway.