> By deleting the web shells, FBI personnel will prevent malicious cyber actors from using the web shells to access the servers and install additional malware on them
If the FBi is in your computer you have already lost. Your box is as good as dead and you might aswell do a full factory reset or it that's too bothersome, buy a new box. Sometimes buying a whole new box is cheaper than cleaning up malware using specialist tools.
This is very poor advice.
“If the FBI is in your box you’re already dead.”
No, in this case, they are fixing a hack. I don’t want them touching my stuff, but that’s hardly “dead”.
“Cheaper to buy a new box”
Reinstalling and reconfiguring is always cheaper than buying new and reconfiguring.
This reasoning is very poor, why did you feel the need to make this comment?
I don't think he means that because it's the FBI. I think he means that since the FBI is using the vulnerability itself to patch affected systems that you've already been compromised if the FBI is able to do this to your system.
It's a sticky wicket. A compromised machine is just that, compromised.
Someone recently posted a story about an exploit wherein the compiler itself was compromised to compromise a particular set of programs when compiling those programs. Including the compiler itself.
So closing this particular door does not mean that they didn't use their access to establish other doors. Or self-opening doors. Or any number of things. And you have no clue as to how far down it goes. This exploit could have compromised the boot loader or something. The only way to be completely sure is to essentially strip the machine to bare metal and audit every piece of software on it.
The safest thing to do, if you want to be completely sure, is to buy a new machine. And even then, you're trusting that the machine you bought hasn't been compromised by the manufacturer or something like that. But it's a known-ish quantity.
But that's a "nuke it from orbit" kind of option. Often, being completely sure isn't necessary. We can live with reasonably sure.
They're using the vulnerability in question to go in and eliminate that vulnerability, locking themselves out. It's like a cop seeing a wide open front door, and going into the threshold in order to reach the door handle so he can pull it closed. Did he go into the house? Yes. Because it was open, and only in order to close it.
Except you have no idea what else they're doing in there before they so nicely "close the door".
Besides, your metaphor doesn't work since cops aren't allowed to just enter a premise due to it being unlocked or open. That doesn't fall under any of the reasons to enter a premise without warrant. Leaving a door unlocked or open is not a crime that gives them free pass.
I really have a hard time understanding people's logic on here sometimes. Apparently the entire US government is systemically racist and evil but these same people want to give more power to this government? Which is it?
Really? They can't set one foot inside in order to reach the doorhandle if the door is 90 degrees open?
And what America are we talking about, "your rights according to the ACLU" America, media portrayals of America, or in-real-life common sense America where you can have a ten minute conversation with a policeman about everyday things with no worries because it's actually no big deal?
I guess. Reminds me of the time in Santiago de Chile we were fixing up a place and the door was ajar. A group of Jehova's Witnesses came in without knocking, holding their pamphlet in front of them in a noticeably odd way, in case they found anybody inside they'd be all about the pamphlet. I guess they thought it was their warrant.
That's pretty commonplace to clean up worms and the like. Once security professionals decompile the code enough to figure out where the control mechanism is and how it works, they will take control of it and use its own methods to get rid of it.
It's sort of the same logic given why we shouldn't require backdoors in general in devices: if the good guy can use it, so can the bad guy. Just, in this case it's being done in reverse.
This is probably a net positive for national security... but I still don't like it. I don't want the FBI doing anything to my computer without my permission.
What are you suggesting that by setting this precedent the US Government would use it to illegally and unconstitutionally harm people who are politically unpopular.
I do not think this would happen the US government is good the US government is right they protect you and keep you safe from evil terrorists who would try to hurt you. Please do not think about this too much, please go consume your next television show and remember to support any unpatriotic activity to your local authorities.
Let me tell you about the patriot act.... these things are always done under the guise of safety when in reality it just ends up giving them more power that eventually gets used in malicious ways and restricts our freedom more and more.
Sweet, since we now have the precedence that the FBI can invade your machine without permission whenever they want for national security reasons I can't wait the glorious future we have before us.
Now the FBI can access your machine and start modifying things because you are expressing displeasure at your public officials which is a sign of "terrorist behavior", oops you're using your blog to say things the government doesn't like they'll go ahead and delete that for you for national security. Oh you installed or even googled Tor well that is only used by drug dealers and terrorists so clearly you are a threat to national security they'll be cutting you off from internet access now.
Look, in The Netherlands, the largest grocery chain ( AH, Albert Heijn, Ahold ) has empty cheese shelves because their cheese-logistics-company got hacked through this vulnerability.
The Dutch, without cheese. Do you see the severity of the problem now?
Oh every time I fly to/from/through the Netherlands I always shop this 'net' with 4-5-6 different cheese(s). Pretty pricey at the airport, but definitely worth enjoying for the following weeks!
It is a Microsoft product, it would have been better if Microsoft was forced to push a patch for the vulnerability and code to remove the exploit in their AV definitions or their malicious software removal tool through Windows update.
Is it really that bad and different than what they do in the physical world? If someone breaks into your home and they are still inside when the police show up, they won't just give you a call and tell you someone is inside your home. They will go in there and get the criminal out of your home. The threat actors are actively stealing information and are inside the networks of many companies, some with the expertise to get rid of the bad guys but some without that expertise. Yes, invading networks without warrants to investigate and prosecute people would be extremely bad. But this seems like it falls on the exigent circumstances side of the law and doesn't sound so bad.
It's a tragic precedent that is the result of decades of technical debt. Of course I'm not at all surprised to learn that the feds would rather take more unchecked power for themselves than use their mouthpieces to pressure Congress into forcing an industry wide focus on security that has teeth. From top to bottom the internet of things needs to be redesigned to treat every port and every communicated bit as potentially hostile. In the current state of affairs it is not outside the realm of possibilities for a lone actor to use a few RCEs in Windows, *nix, android and iPhones to brick billions of devices overnight. We should be glad that terrorists and nation states are using 0 days with relative discretion for profit and reputation protection instead of destroying critical infrastructure that would take in the range of years to decades to rebuild. I fear that our generation is going to have to learn this lesson the same way the Japanese learned about the horrors of nuclear bombs. Shit. Imagine if stuxnet had been given the capabilities to smoke CPUs, RAM, HDDs or anything else it could get write access to, like water pumps, or pressure regulators.
> Of course I'm not at all surprised to learn that the feds would rather take more unchecked power for themselves than use their mouthpieces to pressure Congress into forcing an industry wide focus on security that has teeth.
I'm not sure this was an exercise of unchecked power, they got a warrant. I'm also not sure that the FBI has the ability to tell congress what legislation should or should not be enacted. To me, congress seems to be more beholden to their constituents around election time, then lobbyists and the rest of their party the rest of the time.
Yes, internet security sucks, but that is the world that we and the FBI find ourselves in. Legislation to fix that fact is somewhat plausible but I don't see it being that simple to enact. Security has always been about making a decision that balances risk with the amount of resources it takes to mitigate security risks. Sure, we could push towards perfect security with legislation, but productivity of companies and the economy will take a large hit and I don't see that as something that legislators can push for and expect to be elected again in the future.
Again, yes, our internet security sucks and that is the world we live in. A nation state actor infiltrated the networks of thousands of companies in the united states. The FBI is charged with protecting the citizens of the united states. I'm sure there are a few not so great members of the FBI, but the majority truly believe in fighting to protect our citizens. They followed the law and got a warrant for this action, and assuming they kept their word about what they would and would not touch, they took actions to kick those bad actors off systems of companies in the united states. If a nation state invaded a few thousand residences of our citizens, I would expect nothing less than FBI swat teams going in and solving the issue.
Given the stained, with the blood of innocents, history of law enforcement in the USA I'm infinitely skeptical of every action they take that sets new precedent for expansions of their powers. I recognize the need for law enforcement and largely support those involved, however they have earned their reputation with decades of bad decisions and will continue to be the subject of criticism, condemnation, and distrust until they can find it within themselves to relinquish unnecessary powers, right their wrongs, modernize their culture, and prosecute the numerous bad actors in their ranks.
As far as warrants go, I don't expect anything with "national security implications" to be denied, ever. Have you heard of the fisa court?
>11 denied requests out of around 34,000 granted in 35 years – equivalent to 0.03%
I'm not saying we need to burn down the internet and start over. But couldn't we toss 5-10 billion a year to leaders in the software world to design a secure os and hardware from first principles? Is humanity too vulnerable to individual whims like greed and lust for power ends prestige to accomplish such a feat? This country landed a person on the moon with computers less powerful than my cell phone, or laptop. We made the atomic bomb. Humanity is up to the task, I believe our leaders have lost their way and this article is more evidence of that.
Not quite the same. If someone installs a hidden microphone in my house, or a multi keyed lock (where they have a working copy) I really expect the Police to ask me before they come in my house to remove the offending equipment or change my lock for me.
If they come in the house uninvited then all they achieve is make me lose trust in them. I'll just start wondering how long until they abuse this and do it whenever it suits them, not me, if they're not doing it already.
I'm not sure it was exactly analogous to a microphone or a different lock in the physical world. The bad actors installed reverse shells, the shells could have been sitting idle, but they could have also have been in active use by the bad actors. In the physical world, cops have exigent circumstance rules that would allow them to go inside a residence in cases like that. Their first priority isn't normally making sure that the home owner won't be annoyed. But in this case, the fbi obtained a warrant since this is a gray zone.
Yes, it would have been more courteous of them to have notified people before they took the action, but the notifications could have prompted evasive actions by the bad actors if those notifications went public.
I doubt the fbi had sinister intentions about abusing anyone's rights. These were nation state bad actors, not just some kid in Virginia. If they kept their word about what they would and would not touch in the warrant, then I don't see why it's so bad that they proactively protect their citizens. China has had free reign to hack our businesses and it seems good to me that our government is standing up for those businesses and trying to help them some.
There's no perfect analogy between the real world and the digital one. This being said you're misconstruing the situation to make the "but terrorists" and "think of the children" argument. I've lived long enough to see people parrot the same claims over and over again, changing only the $enemy_of_the_day. What you have in those servers are the criminals' tools. The FBI went there to remove the tools, not the criminals.
So sure, if the Police sees a criminal in my house about to shoot me, walk right in, please. But I don't want them sneaking in without my explicit consent or a warrant to remove a gun left under my couch by a criminal.
I can easily turn the exact arguments you're using into supporting backdooring encryption. Or pretty much any "proactive" move that will "stop the Chinese". No amount of rationalizing will change the fact that you shouldn't force these "favors" on anyone. Pass a law that mandates something to the same effect to be implemented by the owners themselves, or by the vendor, once informed of the risk, under the threat of penalties if they don't.
> What you have in those servers are the criminals' tools. The FBI went there to remove the tools, not the criminals.
It was a reverse shell, they removed shell access that the criminals could use to do whatever they want on the affected servers. Yes, no one is actually inside of the servers that they are working on, but if you have a shell inside of a given server and are connected to it, I would consider you inside that server.
> So sure, if the Police sees a criminal in my house about to shoot me, walk right in, please. But I don't want them sneaking in without my explicit consent or a warrant to remove a gun left under my couch by a criminal.
Right, they did indeed have a signed warrant to perform these actions before they performed them.
> can easily turn the exact arguments you're using into supporting backdooring encryption.
To me, this and similar stuff like backdoor encryption are incredibly hard to solve because both sides of the argument make valid points. The law enforcement community are not all dumb luddites grasping for power for their own sinister means. They fight legitimate monsters and a lot of them only care about fighting those monsters. At the same time, the opposing argument that adding back doors and other similar things are extremely detrimental to security for the population at large. It is a trade off with no compromise that is acceptable to both parties at the same time.
> This being said you're misconstruing the situation to make the "but terrorists" and "think of the children" argument.
We live in a world with bad nation state actors, why exactly is it wrong to make the argument that there are bad actors that do bad things to a small minority of the population and that fighting those things is good? I don't think anyone would say that those bad nation state actors do not exist and are not doing bad things to companies in the United States. The intellectual thievery against companies in the United States is real and it has happened numerous times and is not some conspiracy theory peddled by law enforcement so that they can grab more power.
> Or pretty much any "proactive" move that will "stop the Chinese". No amount of rationalizing will change the fact that you shouldn't force these "favors" on anyone. Pass a law that mandates something to the same effect to be implemented by the owners themselves, or by the vendor, once informed of the risk, under the threat of penalties if they don't.
What exactly was wrong with the actions taken by the FBI that you so vehemently oppose? Do you really think that there was a single one the affected companies that would have rather left the reverse shells in place just because someone in the FBI running a script against their server to remove that shell would make them uncomfortable? The FBI are not legislators, they cannot pass laws to prompt companies to clean up those reverse shells. I highly doubt that their actions had sinister motives and the most likely occam's razer solution is that they were just trying to do a good thing for their country.
Sure, there could be a world where our laws are on the libertarian end of the spectrum where law enforcement officers don't come near the line that makes people uncomfortable. However, that route will have numerous trade offs that a lot of society will not like. Law enforcement has to tread a fine line where they prohibit bad actors from doing bad things so that society can live and prosper while at the same time not doing stasi-like stuff that will suffocate and control society. This issue and others like it are not black and white, both sides have valid points and tipping completely to either end of the spectrum completely doesn't seem like the best route. Their actions in this case don't seem too stasi-like to me.
Technically... they can. It's the same authority which has allowed organizations like Microsoft to take over botnet C&C systems. The CFAA has specific carveouts to allow unauthorized access with a court order.
This is actually the new frontier in the relationship between corporations and the government. The government now allows, within certain parameters, private enforcement of public policy, if one can show damage, and the government lacks the will (or resources) for enforcement.
The theory goes, that guy is breaking the law, and it's hurting my business, but since it's low priority for the government, I'm going to start a private enforcement action. Both very ingenuous and scary at the same time.
"The FBI obtained court approval to access vulnerable computers across the United States."
So, have you got it yet. In the interests of state security, security on your computer has been so diluted that anyone and his dog can get access to your so-called confidential records.
But, did you really believe that sitting behind an ISP, behind a 'basic' firewall (router), running Windows OS, with its firewall, and you would be safe if the FBIs/CIAs/NSAs of this world (USA, UK, China, etc.) want to take you down.. you stand a chance?
I assume that a more extreme step would be to notify the ISPs that serve specific IPs to cut them off. But that would break a lot of other things.
The search order is set-up by a redacted URL, so we can't confirm if the servers are actually in USA. Maybe a few of these are a little bit out of FBI jurisdiction. Nobody will be allowed to check their work.
The court order begins the path of setting a legal precedent for the next time a system is determined to need "FBI patching."
One clever side effect I haven't seen mentioned here -- No matter how little these particular companies care about IT security, or infrastructure in general, a letter to the legal department from the FBI ought to provide a kick in the pants.
Noob here. Does this imply the FBI can just remote control any PC in the US? How does that work (apart from having the client running on your computer of course)
This is a terrible precedent and never should have been rubber-stamped by the court. I hope this attracts enough attention to bubble up to the Supreme Court and the FBI gets slapped. The correct action, if any, would have been to get a court order allowing the offending sites to be disconnected from the Internet.
53 comments
[ 2.3 ms ] story [ 124 ms ] threadIf the FBi is in your computer you have already lost. Your box is as good as dead and you might aswell do a full factory reset or it that's too bothersome, buy a new box. Sometimes buying a whole new box is cheaper than cleaning up malware using specialist tools.
“Cheaper to buy a new box” Reinstalling and reconfiguring is always cheaper than buying new and reconfiguring.
This reasoning is very poor, why did you feel the need to make this comment?
Someone recently posted a story about an exploit wherein the compiler itself was compromised to compromise a particular set of programs when compiling those programs. Including the compiler itself.
So closing this particular door does not mean that they didn't use their access to establish other doors. Or self-opening doors. Or any number of things. And you have no clue as to how far down it goes. This exploit could have compromised the boot loader or something. The only way to be completely sure is to essentially strip the machine to bare metal and audit every piece of software on it.
The safest thing to do, if you want to be completely sure, is to buy a new machine. And even then, you're trusting that the machine you bought hasn't been compromised by the manufacturer or something like that. But it's a known-ish quantity.
But that's a "nuke it from orbit" kind of option. Often, being completely sure isn't necessary. We can live with reasonably sure.
Besides, your metaphor doesn't work since cops aren't allowed to just enter a premise due to it being unlocked or open. That doesn't fall under any of the reasons to enter a premise without warrant. Leaving a door unlocked or open is not a crime that gives them free pass.
I really have a hard time understanding people's logic on here sometimes. Apparently the entire US government is systemically racist and evil but these same people want to give more power to this government? Which is it?
And what America are we talking about, "your rights according to the ACLU" America, media portrayals of America, or in-real-life common sense America where you can have a ten minute conversation with a policeman about everyday things with no worries because it's actually no big deal?
https://www.law.cornell.edu/constitution/fourth_amendment
I do not think this would happen the US government is good the US government is right they protect you and keep you safe from evil terrorists who would try to hurt you. Please do not think about this too much, please go consume your next television show and remember to support any unpatriotic activity to your local authorities.
Now the FBI can access your machine and start modifying things because you are expressing displeasure at your public officials which is a sign of "terrorist behavior", oops you're using your blog to say things the government doesn't like they'll go ahead and delete that for you for national security. Oh you installed or even googled Tor well that is only used by drug dealers and terrorists so clearly you are a threat to national security they'll be cutting you off from internet access now.
The Dutch, without cheese. Do you see the severity of the problem now?
Jeez.
Don't you worry about us, there is not and will never be a cheese shortage!
True to Poe's law, I honestly cannot tell if this was in jest or serious.
I'm not sure this was an exercise of unchecked power, they got a warrant. I'm also not sure that the FBI has the ability to tell congress what legislation should or should not be enacted. To me, congress seems to be more beholden to their constituents around election time, then lobbyists and the rest of their party the rest of the time.
Yes, internet security sucks, but that is the world that we and the FBI find ourselves in. Legislation to fix that fact is somewhat plausible but I don't see it being that simple to enact. Security has always been about making a decision that balances risk with the amount of resources it takes to mitigate security risks. Sure, we could push towards perfect security with legislation, but productivity of companies and the economy will take a large hit and I don't see that as something that legislators can push for and expect to be elected again in the future.
Again, yes, our internet security sucks and that is the world we live in. A nation state actor infiltrated the networks of thousands of companies in the united states. The FBI is charged with protecting the citizens of the united states. I'm sure there are a few not so great members of the FBI, but the majority truly believe in fighting to protect our citizens. They followed the law and got a warrant for this action, and assuming they kept their word about what they would and would not touch, they took actions to kick those bad actors off systems of companies in the united states. If a nation state invaded a few thousand residences of our citizens, I would expect nothing less than FBI swat teams going in and solving the issue.
As far as warrants go, I don't expect anything with "national security implications" to be denied, ever. Have you heard of the fisa court?
>11 denied requests out of around 34,000 granted in 35 years – equivalent to 0.03%
https://en.m.wikipedia.org/wiki/United_States_Foreign_Intell...
I'm not saying we need to burn down the internet and start over. But couldn't we toss 5-10 billion a year to leaders in the software world to design a secure os and hardware from first principles? Is humanity too vulnerable to individual whims like greed and lust for power ends prestige to accomplish such a feat? This country landed a person on the moon with computers less powerful than my cell phone, or laptop. We made the atomic bomb. Humanity is up to the task, I believe our leaders have lost their way and this article is more evidence of that.
If they come in the house uninvited then all they achieve is make me lose trust in them. I'll just start wondering how long until they abuse this and do it whenever it suits them, not me, if they're not doing it already.
Yes, it would have been more courteous of them to have notified people before they took the action, but the notifications could have prompted evasive actions by the bad actors if those notifications went public.
I doubt the fbi had sinister intentions about abusing anyone's rights. These were nation state bad actors, not just some kid in Virginia. If they kept their word about what they would and would not touch in the warrant, then I don't see why it's so bad that they proactively protect their citizens. China has had free reign to hack our businesses and it seems good to me that our government is standing up for those businesses and trying to help them some.
So sure, if the Police sees a criminal in my house about to shoot me, walk right in, please. But I don't want them sneaking in without my explicit consent or a warrant to remove a gun left under my couch by a criminal.
I can easily turn the exact arguments you're using into supporting backdooring encryption. Or pretty much any "proactive" move that will "stop the Chinese". No amount of rationalizing will change the fact that you shouldn't force these "favors" on anyone. Pass a law that mandates something to the same effect to be implemented by the owners themselves, or by the vendor, once informed of the risk, under the threat of penalties if they don't.
It was a reverse shell, they removed shell access that the criminals could use to do whatever they want on the affected servers. Yes, no one is actually inside of the servers that they are working on, but if you have a shell inside of a given server and are connected to it, I would consider you inside that server.
> So sure, if the Police sees a criminal in my house about to shoot me, walk right in, please. But I don't want them sneaking in without my explicit consent or a warrant to remove a gun left under my couch by a criminal.
Right, they did indeed have a signed warrant to perform these actions before they performed them.
> can easily turn the exact arguments you're using into supporting backdooring encryption.
To me, this and similar stuff like backdoor encryption are incredibly hard to solve because both sides of the argument make valid points. The law enforcement community are not all dumb luddites grasping for power for their own sinister means. They fight legitimate monsters and a lot of them only care about fighting those monsters. At the same time, the opposing argument that adding back doors and other similar things are extremely detrimental to security for the population at large. It is a trade off with no compromise that is acceptable to both parties at the same time.
> This being said you're misconstruing the situation to make the "but terrorists" and "think of the children" argument.
We live in a world with bad nation state actors, why exactly is it wrong to make the argument that there are bad actors that do bad things to a small minority of the population and that fighting those things is good? I don't think anyone would say that those bad nation state actors do not exist and are not doing bad things to companies in the United States. The intellectual thievery against companies in the United States is real and it has happened numerous times and is not some conspiracy theory peddled by law enforcement so that they can grab more power.
> Or pretty much any "proactive" move that will "stop the Chinese". No amount of rationalizing will change the fact that you shouldn't force these "favors" on anyone. Pass a law that mandates something to the same effect to be implemented by the owners themselves, or by the vendor, once informed of the risk, under the threat of penalties if they don't.
What exactly was wrong with the actions taken by the FBI that you so vehemently oppose? Do you really think that there was a single one the affected companies that would have rather left the reverse shells in place just because someone in the FBI running a script against their server to remove that shell would make them uncomfortable? The FBI are not legislators, they cannot pass laws to prompt companies to clean up those reverse shells. I highly doubt that their actions had sinister motives and the most likely occam's razer solution is that they were just trying to do a good thing for their country.
Sure, there could be a world where our laws are on the libertarian end of the spectrum where law enforcement officers don't come near the line that makes people uncomfortable. However, that route will have numerous trade offs that a lot of society will not like. Law enforcement has to tread a fine line where they prohibit bad actors from doing bad things so that society can live and prosper while at the same time not doing stasi-like stuff that will suffocate and control society. This issue and others like it are not black and white, both sides have valid points and tipping completely to either end of the spectrum completely doesn't seem like the best route. Their actions in this case don't seem too stasi-like to me.
https://www.zdnet.com/article/a-mysterious-grey-hat-is-patch...
Do you mean Max Butler, who was given jail-time after deciding to not be an undercover FBI informant FBI anymore?
https://www.securityfocus.com/news/203
https://en.wikipedia.org/wiki/Max_Butler
> Butler is currently incarcerated at FCI Victorville Medium 2 in California, he expected to be released April 14, 2021.
Though it sounds like the sort of things he did involved a lot of carding and other kinda severely shitty behaviour.
But, why does the FBI have to do this?
Why does a federal agency have to remove a software virus from private servers? There are private companies that can do this.
The theory goes, that guy is breaking the law, and it's hurting my business, but since it's low priority for the government, I'm going to start a private enforcement action. Both very ingenuous and scary at the same time.
So, have you got it yet. In the interests of state security, security on your computer has been so diluted that anyone and his dog can get access to your so-called confidential records.
I assume that a more extreme step would be to notify the ISPs that serve specific IPs to cut them off. But that would break a lot of other things.
The search order is set-up by a redacted URL, so we can't confirm if the servers are actually in USA. Maybe a few of these are a little bit out of FBI jurisdiction. Nobody will be allowed to check their work.
The court order begins the path of setting a legal precedent for the next time a system is determined to need "FBI patching."
lots of discussion over here: https://news.ycombinator.com/item?id=26800481