Ask HN: Are there recorded instances of people being framed through hacking?
I don't believe I'm a person of interest to anyone, however I imagine some people are. With the hacking capabilities of government and organisations, would planting incriminating material on somebody's computer be trivial?
131 comments
[ 2.7 ms ] story [ 191 ms ] threadI do believe so. Twenty years ago as an curious teen it was easy for me to penetrate various systems and to dox people. Now the security is better but also the attack vectors and tools evolved.
If we aren't talking about oranizations with good security practices or paranoid individuals, it won't take a large organization to break in a target. A good prepared hacker could do it. Maybe not in a few hours or days, but in some time it is doable if that person is sufficiently knowledgeable and determined.
But we have to ask what for? Nobody is going to hack your personal system without having nothing to gain. And even if he has something to gain, the prior condition is for him to know this.
I do have people I dislike, and yet I don't hack in their systems to plant false evidences.
My point is this: There is no defense against 0-day/X-day exploits in the wild. But the second best thing against being patched is logging and properly tuned alerting. In my 20-ish years of working in this field I've caught half a dozen attackers/intruders via logs and anomaly alerts. Without those 2nd best things in place the entire network(s) would probably have been compromised.
Cheers.
Journalists and political activists were always targets of violence
Simply seize some devices and place the incriminating evidence on them. Or just place a device with incriminating evidence among other seized evidence. Crime shows make you think every item is individually serialized and bagged or whatever but in reality they're just going to make a bag labelled "15 SD cards and 6 USB sticks". Stuff like hard drives is just going to be "hard drive #6" in the log. Just swap the stickers, easy as pie. You think evidence is stored securely? Secure is expensive, and it's all stuff of guilty people anyway (otherwise it wouldn't be seized).
For weeks, headlines across the country talked about how she was "trapped" in her car "for hours". She was "terrified"! Protesters were brought up on serious criminal charges over this incident of "kidnapping" and "forceful detention".
High ranking police-people testified on the stand that her car was unable to leave the area due to the protesters, for hours.
Then, it came out - leaked on social media - that video footage from multiple angles proved beyond doubt that the incident had been completely overblown.
In fact, she could have left at any time, with plenty of space behind her car. All those police sergeants and the Tánaiste herself were lying out of their teeth.
The response from Irish media was to try and put restrictions on social media. They ignored the story for a while, then a few years later printed stories about her "recalling her trauma" at the protest.
So yeah. This was a high profile incident with an entire country watching - imagine what they do when the accused is 'just some professor or journalist or whatever'.
It's indeed stupid how the Irish media are obeying the government's spin though.
You've reminded me about what happened to Maurice McCabe though.
Summing up from memory: he gave detailed evidence about widespread systematic corruption at the highest levels and below in the Irish police.
Shortly after, he was accused of stealing a pedo priest's hard drive from evidence. Accusations, later found completely untrue, were made by a garda of him doing bad things to young people.
Shortly after, a "copy and paste error" in a Tusla (Irish child services) database accused him of molesting a Garda's underage daughter at a birthday party.
After a huge fight involving many years of horrific struggle, multiple Garda Commissioners and a Minister for Justice resigned over the series of incidents. McCabe received a 5 million euro settlement. But for many years, the vast majority of the Irish media refused to touch his story; and even after it all came out they continued to report on it in the most twisted way possible. For example, they never mention, when discussing the "copy paste error", that this was in fact the third attempt to smear McCabe in this way.
(A brief timeline of the saga: https://www.irishexaminer.com/news/arid-20442857.html)
Stupid isn't the word you're looking for - it's 'complicit'.
And trying to make a show highlighting the dark side of policing would be close to impossible these days. Movie shooting relies a lot on the police for things like crowd and traffic control, and even for using real cops and equipment in some scenes. The police can make it very hard to continue effectively. It's the same story as with the Pentagon and military themed movies [0][1].
[0] https://news.ycombinator.com/item?id=29835933
[1] https://news.ycombinator.com/item?id=22590378
In principle, yes, xkcd brings up a valid point. And it's not entirely sound. The entire point of hacking is to not have to get your hands dirty, figuratively speaking, and to obtain far more opportunities for exploitation than what might be had by drugging and torturing someone. After all, one could physically beat a single password out of someone to and find that said password has no value, all while putting one's self at risk of being targeted for committing crimes against humanity. If a password obtained through hacking leads to nothing, it's entirely possible no one will ever know you had it or bother coming after you.
And in this particular subject, placing material on stolen physical media carries a greater risk of being traced back to you than if a purely digital exploit was taken advantage of. It comes with less plausible deniability and a greater risk of getting caught in the act IRL.
In one case the suspect was innocent and no evidence was planted to try to convict. (The daughter of the woman who made the initial report admitted several months later that her mom had made the report up in order to bolster her child custody case- there were no consequences for the woman who made the false report...)
In the other case, the suspect admitted guilt forthrightly.
Now, I can't say what the norm is across the country/world, just my own experience with the system.
The principal activity of higher level spooks and investigators is coercing people. Even when they don't have anything on the coercee, they can have, or claim to have, things on someone one cares about: a spouse, parent, sibling. Spooks are mainly supposed to coerce information delivery. Cops are supposed to coerce confessions and (if necessary, false) testimony.
They may choose to coerce other things, of course, of less interest to their employers. Sociopaths love these jobs.
Not really. IMHO, it's pretty common impulse try to apologize when caught doing something in order to get less punishment. An apology is often effectively a confession.
> The principal activity of higher level spooks and investigators is coercing people...
So? Even if there are people who do stuff like that, it's a tiny fraction of cases like this.
Yes. I'm just saying bringing up spies in this case is a distraction. Unless you have some compelling evidence to say it's spies, it's not spies. Your looking for the exotic when the mundane is far, far more likely.
> In Wilson’s case, a piece of malware known as NetWire had added 32 files to a folder of the computer’s hard drive, including a letter in which Wilson appeared to be conspiring with a banned Maoist group to assassinate Indian prime minister Narendra Modi.
[1] https://www.washingtonpost.com/world/2021/07/20/indian-activ...
[2] https://www.wired.com/story/modified-elephant-planted-eviden...
Supposedly he had foolishly exposed all the passwords of his phone and online accounts so they could freely find anything they liked, or that had been planted. And the unit he worked in was, IIRC, coincidentally exactly involved in cracking security on accounts, and somebody else he had worked with, there, had developed an antipathy toward him, to the point that he had filed an HR case expressing fear for his own safety.
That a top-level security expert would have left all his own passwords exposed was transparently ludicrous, and the author and jury should both have been deeply suspicious of any evidence claimed to come from it, but seemed entirely oblivious.
It is just possible the jury saw evidence not derived from online records. But I doubt it.
Not quite. Some experts apply all their own expertise to themselves, others are more lackluster about their own opsec because they 'know what they are doing' or 'this isn't anything important'. Never underestimate human laziness.
I work in IT security and I see the full range of total disinterest to full tinfoil hat mode in this environment when it comes to people's own resources.
Also, it depends on people's area of expertise. Most of our networking security specialists are running segmented VLANs and IDS at home, and WPA3 with all the trimmings. The Windows AD security guys would just have whatever router the provider provides and sometimes don't even change the provided wifi password (which in many cases is algorithm-generated based on the MAC address or something!), but their windows workstations would be top-notch secured.
It's kind of bizarre.
He spread a lot of FUD in his defence though, so if you don't pay attention and bother to read the court transcripts you'll walk away with the opinion you have.
For the record, he was barely computer literate-- they made their living writing programs that basically just inject DLLs and copy files. I'm probably being a little untruthful calling him border-line computer illiterate, he has a bachelors in CS or similar, but he was just a basic programmer and not some sort of super hacker or exquisite computer all-star.
https://www.newyorker.com/magazine/2022/06/13/the-surreal-ca...
Do I have proof the evidence was all fabricated? No. But there is no denying the case stinks.
https://techland.time.com/2011/07/14/man-hacks-into-neighbor...
https://www.wired.com/2011/07/hacking-neighbor-from-hell/
"Bukovsky, who was expelled from the Soviet Union in 1976, told detectives he had indecent material, the court heard. “He [Bukovsky] responded immediately by saying he did download images and that they would be on the computer in his study,” Carter said.
The police subsequently discovered “a very great deal of material” on two hard drives. It showed some “very young” children up to the ages of 12 and 13. They were “largely but by no means exclusively boys”, the court was told. There were some adults involved.
In an interview, Bukovsky told detectives he had become interested in child abuse images in the 1990s in the context of a debate on the control and censorship of the internet. “He became curious,” Carter said. Bukovsky then looked for and discovered this material online, the prosecutor said.
“Bukovsky said his initial curiosity turned into a hobby, rather like stamp collecting,” Carter said. The dissident continued to download images between 1999 and 2014, and estimated that he had accumulated a collection of “1,500 movies”. His interest varied year by year. The last downloads took place days before his arrest.
“His computer was looking for material constantly,” Carter told the jury. “Mr Bukovsky said in essence he didn’t see what harm he was doing. He said the children in most of the material looked as if they were enjoying themselves.”
The prosecution acknowledged that Bukovsky was a notable Kremlin critic seen as a hero by those who supported “the extension of human rights and democratic reform in Russia”.
“There was unfortunately another side to this man, which was far from laudable: an extensive interest in real children being really abused,” Carter said."
https://www.theguardian.com/uk-news/2016/dec/12/soviet-dissi...
This happened because a bunch of people had been defacing Australian government websites with messages from "Aush0k, the leader of lulzsec" in order to mess with him.
Those mean hackers even defaced MIT.edu with his name (https://news.ycombinator.com/item?id=5098218)
Flannery was later found guilty of some computer crimes, but not the ones for which he was initially jailed.
However, nobody would "frame" someone for deception's sake. There's gotta be an underlying motive. If the deception works to achieve that goal (or even 90% of it) I'd say its pretty successful.
I agree it's a weird gray area though and you're correct that a "perfect framing" would never be found out.
That is true, but also anyone (With the usual exception of "untouchable" state agencies) who is found out to be framing someone, can expect to be prosecuted, regardless of if their frame was found before the intended damage was done, or after.
"Perverting the Course of Justice" is a serious crime, and a frame qualifies as such: https://www.stoneking.co.uk/literature/e-bulletins/pervertin...
Even murders have less than a 50% clearance rate.
What you must have meant is that most people would not.
I have known people who certainly would, even without any antipathy toward the person framed, just because they could. Stir in a trace of resentment, and they would go out of their way to do it.
Maybe you have heard of Alex Jones, Roger Stone, or Steve Bannon? They have ardent fans.
I don't see even them going "oh, today I'll try to incriminate a random person" lol.
Their actions bring them notoriety.
("Ratfucking" here is a technical term in politics.)
If someone in a corporate setting gained a position by framing a rival, and it was then found out, there's a "wrongful termination" lawsuit against the company waiting to happen. Why would HR let the culprit continue in that position? Getting fired for malfeasance is IMHO not exactly "success".
This is only a _risk_ not a certainty for the criminal who does it, but being found out does matter.
In these situations, the person that filled the role is not guilty of anything.
In some countries you are strongly obligated to make contact with illegal images know to the authorities. Failing to do so is punishable.
Such an attack is as trivial, as annomously sending illegal material to the target, depending on the country. There are thousand of cases of minors sending nudes and causing legal investigations. You find articles of parents sending pictures to doctors and being banned from online services, which are known.
Other social attacks, such as giving out free USB sticks with incriminating material are thinkable. Allthoug I am not aware of this being proven to have happened, one can find cases where people used this as a defense.
People providing free uncensored internet by running a Tor node are known to have lots of legal troubles because of it, with different severity depending on the country. Even making it to no flight lists.
Illegal pictures might not be viewed by the public. A government could just claim they found them on your device and may have a way to exclude them to be viewn by anyone. So an individual may have to start a defense from the fact that illegal material has been found on a device, without a chance to ever see the image. Again depending on the country and legal system, there might not even be a need for those illegal pictures to actually exist. Here a document from a governmental entity suffices.
A similar variation popular on Reddit is sock-puppeting illegal/forbidden material faster than the moderators can deal with it, and then get the admins to shut it down.
Any examples?
I strongly suspect this is a myth akin to the common reddit copypasta supposed to trigger Chinese filters (and that one is way more likely to work, at least it’s HTTP traffic).
But there's someone on Reddit complaining about the same thing at the same time period.[1] NSFW words (not pictures) in the link
[1] https://www.reddit.com/r/playrust/comments/3jdjdc/can_we_tal...
Here the answer is: yes. People demonstrably SWAT others in online games. Victims have actually died from this. Yet it continues to happen.
So since the more extreme case - do people trigger police visits to other player's houses, knowing they may die? - is true, the milder case of triggering automatic censorship seems very likely to be true also.
The method was explained in detail and concerned the source engine for this exploit. When I search the web for it, I only find articles of the game being banned in China, this feature being removed and then coming back as a monetized feature.
Also searching for this felt extremely sparse.
Maybe you are right and this never happened and it is just some clever internet hoax. The insta ban thing seems far fetched.
But I am certain this was used to troll, protest and circumvent censorship with gusto and must have had some consequences.
Link: https://www.reddit.com/r/copypasta/comments/plso8p/how_to_di...
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H\*
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTPHISH-STANDARD-ANTI-PHISH-TEST-EMAIL*C.34X
Here's a link to what I see: https://i.imgur.com/vaZJq4b.png
Do you have any evidence of this?
[1] https://en.wikipedia.org/wiki/Swatting
Make it look like a game or something but copy incriminating stuff in the background. Then "tip" the authorities a year later, the person would probably forget all about it.
If it's too soon they might still have the USB stick. No idea if that would pose an issue tho.
I dunno tho. Not a cyber security guy or lawyer, but interesting "problem" to think about, haha.
Not really, if you manage to autorun arbitrary code from it (which is more difficult on the latest OSes), you can also make it wipe itself or something. It's hard to completely wipe USB sticks because of write leveling but a few rewrites should do it. Cheap sticks don't have much spare capacity.
In fact if you're really good you can even trick the controller to hide or wipe it somehow. After all you're supplying the hardware so you're in full control of everything.
I mean, say they found corporate secrets on your computer. You say "no idea how they got here but look at this weird USB." Would they be able to see that a small USB sized package was delivered on the day the victim claimed? Would they even look that far, etc, etc.
Thanks for providing some answers on the technical side though. That's def a thought too. I mean, seems you could be screwed if you're dealing with someone smart if you're being careless.
> In 1999, NetBus was used to plant child pornography on the work computer of a law scholar at Lund University. The 3,500 images were discovered by system administrators, and the law scholar was assumed to have downloaded them knowingly. He lost his research position at the faculty, and following the publication of his name fled the country and had to seek professional medical care to cope with the stress. He was acquitted from criminal charges in late 2004, as a court found that NetBus had been used to control his computer.
https://en.wikipedia.org/wiki/NetBus
It's as if bad news and boogie monsters sell better than "we reported incorrectly" I know, but still.
https://www.deccanchronicle.com/technology/in-other-news/120...
To this one that seemed to have been a scam
https://thehill.com/homenews/media/477482-paul-krugman-my-co...
Just to be clear. I don’t mean that Krugman was lying and he was actually downloading child porn and he was trying to cover his tracks. I mean that someone fooled him into thinking that he had been hacked. To make it more clear. There was no indication that Krugman ever had child porn on his computer that either he downloaded or that he was hacked.
[0] https://www.businessinsider.com/details-on-the-wild-allegati...
I had gathered that HSBC, in particular, was (in the past, and maybe still?) the favored financial conduit of CIA projects, making investigating anything there what is called a "career-limiting activity" for any incautious FBI agent.
https://krebsonsecurity.com/2019/09/interview-with-the-guy-w...
[1] https://www.wired.com/2011/07/hacking-neighbor-from-hell/
Anyway, people have been fired because a coworker received a forged harassing email, and IT found the message in the true victim's sent box.
Not really hacking, but, unlike every other mail client, GMail BCC (blind carbon copy) displays the BCC list to every recipient. This has caused significant trouble for people too.
Examples: Send carefully worded response to harassing coworker, and BCC HR. Coworker sees the BCC, gets further bent out of shape. Alternatively, sales person BCCs some corporate VP or legal or other person the customer is not supposed to know about.
As they say, if you are not paying, you are the product.
Uhhhh... no it doesn't.
Do you mean if Smith was in TO field, Tom in CC, John in BCC, all these will be true?
Smith & Tom should be able to see Smith as TO & Tom as CC. Both of them should not see John as BCC.
John should be able to see all,TO, CC & BCC.
This wasn't "recorded" because the victim is a very private person; but I was part of a team that caught the prosecution in a little podunk town attempting to either interfere or plant evidence on a server DURING trial.
We absolutely caught them red-handed. Perhaps it could have been made into a bigger issue, but it's kind of like, it's a small town no one cares about -- the judge is obviously one of "them"," and the victim REALLY doesn't want to be caught up in big news stuff, so we're all opting to be quiet about it.