from the a-free-(and-exploitable)-press dept
In 2007, FBI sent malware via a link intended to look like a Seattle Times/AP story. https://t.co/Se9f0NXGd1 at pages 61-62. — Christopher Soghoian (@csoghoian) October 27, 2014
In 2007, FBI sent malware via a link intended to look like a Seattle Times/AP story. https://www.eff.org/document/fbicipav-08pdf … at pages 61-62.The documents date back to 2008 and were obtained by the EFF in 2011. What Soghoian caught fills in the blanks in this story from 2007.
FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News...The court documents didn't detail how the FBI managed to install the weaponized payload on Glazebook's computer. The emails obtained by the EFF, however, expose the electronic paper trail.
The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment.
The CIPAV (Computer and Internet Protocol Address Verifier) made its way to Glazebrook's system via a Myspace message sent by the FBI… which was impersonating the Seattle Times.
Is this really what we want our investigative agencies to be doing in the name of public safety? Soghoian says no.
"The ends don't justify the means. I'm not saying that the FBI shouldn't be investigating people who threaten to bomb schools. But impersonating the media is a really dangerous line to cross."The Seattle Times isn't too happy, either. Editor Kathy Best says the paper is now "seeking answers" from the FBI. Best's full statement on behalf of the Times is short, but deeply critical of the agency's actions.
We, like you, just learned of this and are seeking answers ourselves from the FBI and the U.S. Attorney’s office.The FBI has already responded (somewhat) to Best's statement, deploying the usual deferrals to public safety and agency investigatory procedures.
But we are outraged that the FBI misappropriated the name of The Seattle Times to secretly install spyware on the computer of a crime suspect. Not only does that cross the line, it erases it.
Our reputation—and our ability to do our job as a government watchdog—is based on trust. And nothing is more fundamental to that trust than our independence from law enforcement, from government, from corporations and from all other special interests. The FBI’s actions, taken without our knowledge, traded on our reputation and put it at peril.
“Every effort we made in this investigation had the goal of preventing a tragic event like what happened at Marysville and Seattle Pacific University. We identified a specific subject of an investigation and used a technique that we deemed would be effective in preventing a possible act of violence in a school setting. Use of that type of technique happens in very rare circumstances and only when there is sufficient reason to believe it could be successful in resolving a threat. We were fortunate that information provided by the public gave us the opportunity to step in to a potentially dangerous situation before it was too late.”TL; DR: The public should be counting its blessings rather than examining our questionable methods.
Taken at face value, Special Agent Frank Montoya Jr. is basically saying that the FBI will abuse its power (and the reputations of others) whenever it determines such methods to be necessary to achieve its goals. Not really a comforting idea at all, and one that basically confirms Soghoian's suspicions: the ends will be used to justify the means, no matter how potentially damaging the means are.