
Lawyer representing whistle blowers finds malware on drive supplied by cops - aestetix
http://arstechnica.com/security/2015/04/lawyer-representing-whistle-blowers-finds-malware-on-drive-supplied-by-cops/
======
hurin
_" The allegations submitted for review appear to be limited to misdemeanor
violations which do not rise to a threshold for assigning a case to the CID
Special Investigations Unit," the commander of the CID wrote in a September 29
letter declining the request._

I guess felony hacking charges are only for teenagers changing desktop
backgrounds.

~~~
rsync
When crimes are committed by law enforcement, the penalties should be higher
than for non-LEO.

~~~
winter_blue
That would be ideal and would hold LEOs to higher standard, but in reality,
the exact opposite happens.

~~~
spiritplumber
I wonder if codifying this in law specifically would counteract what happens
in reality (DA's operating by creationist logic when the perp is of Blue
ethnicity).

------
joshuak
It seems from what I've read that this event goes to `chain of custody`, and
by nicicacity invalidates ALL digital evidence for EVERY case handled by this
police office unless provenance can be reliably established beyond _all_
doubt, and that provenance can be proven not to effect 'original' copies in
this or other cases.

It is a catastrophic failure of procedure, that invalidates this, and possibly
all copies of this evidence causing it to be judged inadmissible.

From wikipedia[1]: When evidence can be used in court to convict persons of
crimes, it must be handled in a scrupulously careful manner to prevent
tampering or contamination. The idea behind recording the chain of custody is
to establish that the alleged evidence is in fact related to the alleged
crime, rather than having, for example, been “planted” fraudulently to make
someone appear guilty.

Regarding other comments in this thread about law enforcement being held to a
higher standard, they would be. The higher standard is that when they fail to
follow proper procedure like this, the effect is the evidence (and often the
entire case) is summerly dismissed, and the defendant cannot be tried again
for the same crime. the entire US legal system has this built in bias. Whereas
a defendant in a similar position of supplying discovery documents would not
be held to the same standard risking summery judgement, and might be able to
provide replacement copies for discovery, and continue with the definse more
or less normally.

1:
[http://en.wikipedia.org/wiki/Chain_of_custody](http://en.wikipedia.org/wiki/Chain_of_custody)

------
readams
There are quite a few ways that this sort of software could be on the drive
without malicious intent by the police department. This article is pretty
light on details but it doesn't sound like anyone has actually examined these
drives to determine this.

Some possibilities:

* if the police computer was itself infected and the malware was trying to propagate

* The data was copied from a drive or computer that was infected

~~~
Nikker
If the malware came from the Police computers then wouldn't that likely taint
all the data supplied, to well everyone? Every defendant for at least the last
year will be taking a shot at this and why not?

~~~
fiatmoney
Ding ding.

There's really only 4 possibilities, and they're all significant.

1) PD is responsible, and intentionally infecting defense attorneys with
malware. Major obstruction of justice.

2) PD is responsible, and has been hacked. At a minimum, all their computer
evidence is tainted; who knows if someone has been using their access for ill
as well. Access to police DBs is useful for all sorts of nefarious purposes.

3) Defense attorney has faked the whole thing. Noteworthy in its own right;
defense attorneys are pretty used to losing as a matter of necessity so for
one to go on some kind of intentional crusade against the local PD, especially
in such a public and falsifiable way... No judge will sign off on criminal
sanctions here without a thorough investigation, so this is extremely unlikely
barring a psychotic break (which does happen now again, it's a high-stress
job).

4) Defense attorney has been hacked. Who hacked him? Have any of his clients
been affected? Is someone, perhaps a technically sophisticated someone,
targeting defense attorneys?

~~~
stavrianos
That fourth one is the killer. Regardless of its truth or falsehood, it gives
everyone an out because none of the interesting consequences of the first
three have to happen.

Perhaps the proper move would have been to surveil the malware without
revealing that you know of it. Could prove/falsify #4, or implicate PD
conclusively if #1.

------
username223
"Never attribute to malice that which is adequately explained by stupidity."
My guess is that one of the police computers is infected, but it shouldn't be
too hard to install this malware on a VM and see where it phones home.

~~~
adventured
It's a worthless phrase unless you have some understanding of the likelihood
of malice based on whom you're dealing with.

If you're dealing with malicious people, then that phrase completely loses its
already low value.

------
joshuapants
Good thing they weren't complacent and they had the drive checked. It's
appalling that this came from a police department, but it could happen with
any drive someone gives you, accidentally or maliciously.

What's the best way to counteract this? Only plug foreign drives into a
dedicated computer, probably running Linux, so you can scan it and copy the
files you need before letting them touch other machines?

~~~
analog31
Nowadays I check any drive that's been out of my house, after my spouse
brought a virus home from her workplace. A dedicated Linux box, a quick
booting distro on a trusted flash drive, or even a Raspberry Pi can be used
for this purpose.

~~~
morganvachon
I would second the Raspberry Pi, it would be more or less immune to malware
that targets x86 land, even Linux based malware. Still, I'd not have it
connected to the network and I would wipe the Pi's SD card afterward, just to
be sure. Scripts can run on any architecture.

The Pi doesn't have a BIOS or EFI on board, it uses a special partition on the
SD card to POST from, so there's no worry of the device itself being infected.

~~~
nitrogen
_The Pi doesn 't have a BIOS or EFI on board, it uses a special partition on
the SD card to POST from, so there's no worry of the device itself being
infected._

It _might_ be possible for a malicious script that gains root access to
replace the SD card firmware with something that looks clean on the Pi, but
delivers malware when some conditions are met.

~~~
morganvachon
Yep, which is why I said "I would wipe the Pi's SD card afterward, just to be
sure. Scripts can run on any architecture."

The SD card is not part of the RPi; there's nothing on the board itself that
is writable.

~~~
nitrogen
Wiping the SD card using standard disk tools would not affect the SD card's
firmware. SD cards are not dumb storage devices; they have built-in CPUs that
handle DRM, protocol interfacing, and wear leveling, possibly among other
things. That CPU has its own firmware, which might be reprogrammable by an
attacker that knows the right commands to send.

~~~
morganvachon
Fair enough, I didn't think about that. I guess if you were using a RPi for a
quarantine job like this, you would consider the SD cards as one time use
devices and destroy them after use. The RPi itself shouldn't be affected
though.

------
jqm
I'm having a hard time picturing a local police department in Arkansas having
the technical skills needed to make use of this malware. But maybe they paid
someone. Or it's a false flag. Who knows.

~~~
bob-2
That's assuming they're working alone for their own intent. Given how federal
government agencies are responding to FOIA requests to local police
departments regarding stingray operations, it wouldn't be completely
ridiculous to consider they had help/orders from federal agents. That's just
speculation, but it's possible.

------
calgoo
"the district doesn't have the technical resources to conduct such a probe"

I love how they dont have resources for this, but if the plaintiff happens to
speak some International language for which they dont have a translator, they
fly one in from wherever they are available and pay them huge amounts of money
for maybe 2 hours of work (I know its a but more complicated then that, but
its still resources), but you cant dedicate a few thousands to verify the how
the stuff got on to the hard drive.

[1] Corrected spelling etc: Need more coffee

~~~
mapt
So... The FBI might have such resources? A whole department of dirty cops
attempting to obstruct justice using cybercrime (their remit) being... a big
target.

Police officers take oaths to protect the public on behalf of the US federal &
state governments, and to uphold the Constitution. Breaking these oaths and
abusing the power they are granted for personal gain or to cover up things
that occurred on duty is, to be blunt, _treason_. It's easy to be a _bad_
police officer who deserves to be fired for egregious negligence or excessive
force or poor performance, but premeditated attempts to protect their own from
the justice system represent the worst sort of insurrection this country can
realistically face. I don't see why a terrorist or a Soviet spy should receive
one sentence, and an officer running a corrupt police department should
receive another: They are all trying to overthrow our functioning government.

Did that happen here? I don't have any idea. But when internal affairs ceases
to act aggressively to investigate this sort of thing, it casts the entire
department's fidelity into doubt.

------
anupshinde
"Says police department brass tried to infect him, seeks criminal sanctions."

First, the lawyer most likely found the malware via an anti-virus software and
did not detect a new malware specifically targeted to him. Second, the police
probably used the drive at an unsafe machine.

Is it only me who finds this illogical nonsense? It sounds like if I get a
"real world" infection like xyz flu - I have the right to seek criminal action
against the person who got me that infection.

~~~
Terr_
One big difference is that an innocent policeman infected with the flu is not
put under the secret mental domination of a criminal puppetmaster.

Even if you give the police the benefit of the doubt and assume zero malicious
intent, the fact that malware appeared on the drive suggests either:

(A) Mishandling of evidence by cycling it through an insecure/unofficial
system.

(B) Official systems have been pwned, and they are no longer trustworthy!

------
PebblesHD
hear fucking hear

EDIT: Ahh yes, downvoted for agreeing. Fantastic guys!

~~~
bhayden
To clarify, you probably got downvoted because it doesn't contribute anything.
We have upvotes for agreement.

~~~
Puts
I think it's a childish and nonacademic worldview if you think the only value
in another post is if you agree or not.

~~~
click170
Are they asking thought provoking questions or contributing new information or
insights, or is it a me-too comment? The latter does not really contribute to
the conversation.

------
rpo3po
At this point, there is absolutely no evidence, beyond the defense attorney's
claim, that the malicious software neither existed prior to him handing it
over to the police department, nor that it was installed after the fact, by
the defense attorney. It is just as likely that, in either of those
possibilities, this is a self-inflicted attempt by the defense attorney to
discredit the police. Arstechnica, and every comment that I've read, both
there and here on YC, reach conclusions based on a potentially, and _just-as-
likely-false_ , premise: that the act of the software installation occurred as
a result of some action or inaction of the police. False premise = potentially
false conclusion. Brains, people, brains. Use them, please.

~~~
hurin
Maybe the Arstechnica article is biased towards the defense attorney's side of
the story - but I definitely don't see the primary issue here as being _law
enforcement officers installed said software_ (as you pointed out, this is yet
an unproven hypothesis - though quite a likely one perhaps). At least for me
the substantiated and proven issue is that the CID Special Investigations Unit
_refused to investigate whether such a thing occurred_.

> Brains, people, brains. Use them, please.

Adding insults to your comment does not make for a better discussion.

~~~
rpo3po
Is it an insult or a plea for reasoning? No, I have a Bachelor's degree in CJ,
but outside of that, if the primary issue is the determination to pursue
charges, then what happens if there are no actions which precipitate charges?

~~~
Crito
> _" Is it an insult or a plea for reasoning?"_

The former. Possibly also the later, but definitely the former.

