Hacker News new | past | comments | ask | show | jobs | submit login
FBI Returns Seized Devices to EFF Client (eff.org)
142 points by DiabloD3 on Nov 8, 2015 | hide | past | web | favorite | 57 comments

I am always amazed at the authorities reaction to this. In the entire history of modern communications has a terrorist ever announced publicly and in advance that he/she/they are now going to go out to place "xyz" at time "nn:nn" and going to do "some despicable act", so please come arrest me?

There are examples of course about warning about planted explosives etc (The IRA did this all the time), but these never include an invitation to apprehend the actual culprit - but rather as terror tactics in their own right.

It doesn't matter. Authorities (at least their managers/directors) think in terms of PR/Damage Control and Risk. The fallout if they did nothing and something happened (maybe even just reporter reporting that tweet was ignored by FBI) would be enormous. Much, much worse than fallout that occurs for "overreacting".

And once they've reacted it's very hard to admit they are wrong or ever let go (as in they are unwilling to accept PR/blame). Just to avoid the .001% chance of headline "FBI had perpetrator in custody but let him go!"

Sadly, the public is a ignorant, fickle, short-sided, lynch mob. Public facing organizations are(have to be) driven by risk mitigation rather than being effective.

The details remain secret, but Irish terrorists often gave warnings of their bombings in Britain and Ireland.

Examples: https://en.wikipedia.org/wiki/Real_Irish_Republican_Army and https://en.wikipedia.org/wiki/Chronology_of_Provisional_Iris...

My hometown is mentioned, there was a successful bombing; so when a secondary school student made a bomb threat from a public telephone it was taken seriously. I was only 10 years old at the time, so beyond the evacuation of the school and surrounding buildings I don't recall any more details.

The recent Oregon school shooter did that.

Is there any easy way to determine if the equipment can be trusted?

Does anyone offer services in this area and how much would it cost him?

A security researcher obviously can't trust those devices anymore.

If I were him I would sell them and buy new ones.

I saw a talk by him this year.

He would not sell these devices. He would be someone who feeds false information into them to screw with people that are on the other end, and laugh manically while doing so.

What better way to feed false information into a computer than giving it to someone else?

In all honesty, I think a security researcher would be more curious figuring out what they did.

You make a valid point. Trying to find what they did would be valuable to find what kinds of tactics the FBI and such use.

Maybe I have an overactive conscience, but I'd feel kind of wrong about selling without disclosing that I had good reason to believe it was compromised (a serious, unfixable, almost-invisible defect), and probably nobody would buy if I told them that.

Agreed. This would be similar to knowingly selling a defective device, only much worse.

But another thought that crosses my mind is that future disclosures and research may give him new insight to inspect the equipment and try to understand the extent of potential compromise. I would replace it but then hold onto it forever. Twenty years from now, the parts could be a goldmine for documenting what will surely be a historically significant time in the world of surveillance and privacy.

more likely people would pay more for a device with confirmed FBI/CIA/NSA implant


Why do you assume the equipment was trustworthy prior to seizure?

If the FBI had (remote) access to the machine prior to seizing it why would they need to seize it?

If they did have that capability they might seize the equipment to maintain the illusion that they did not.

The allied forces did this during the second world war. They could not admit that German encryption had been cracked, so if their only source of knowledge about an event was through breaking of encryption, they would not act on it - even if by doing so, large numbers of civilians would die, because in the long run - far more would be saved by bringing the war to a quicker end.

That's an interesting analogy, but I think that it's not the right one here. Surely the proper analogue would be if the FBI had derived information from their remote infiltration but didn't act on it, rather than if they seized the computer to pretend that they didn't have remote access it?

keyword: parallel construction

Is this the guy who claimed he hacked into an engine control computer via the in-flight entertainment system network?

So is this evidence that he didn't actually do that, or just that the FBI was unable to decrypt or otherwise get anything useful from his devices?

Part 1) Yes

Part 2) I don't know

Part 1) This is according merely to an FBI affidavit [1] applying for a search warrant, much less a charge or conviction. Roberts has claimed he was misrepresented, albeit understandably coyly [2]. "Yes" is an uncritical answer.

[1] http://www.wired.com/wp-content/uploads/2015/05/Chris-Robert...

[2] http://www.slideshare.net/EC-Council/a-funny-thing-happened-... (slide 10; apropos nothing, this was a very boring and actually mildly annoying talk)

Given the current security climate, if that were my stolen gear, I'd treat it all as suspect and burn the lot in a barrel.

There's no telling who's done what to it or what kind of nasties are now in the firmware.

Given the non-trivial value of his equipment (the MacBook Pro alone was probably >$1500), a slightly more constructive use might be to donate it to an organization that can use it in a non-sensitive environment (e.g., a school that could give it to a student).

Sure, the equipment might not be trustworthy in a secure environment, but I highly doubt that anyone would really be interested in a high schooler doing his/her CS homework on it.

Even if the high schooler is dealing drugs to his classmates?

Im sure someone like Kaspersky Labs would be more than welcome to buy his stuff at a market value.

at the same time I wonder if crazy US agencies wouldnt call for treason charges after Kaspersky discovery of an implant, or even before, or even claiming his equipment is federal property now like in the case of GPS trackers.

Can there be treason if they sell it to a non-USA security research company?

>Can there be treason if they sell it to a non-USA security research company?

I'm going to say "yes", since it seems that simple accusations of treason are enough to declare, say, a whistle-blower to be a traitor.

In the end, you're effectively a traitor when someone with sufficient power says you are.

But if it is treason, wouldn’t it be an open admission that the device was tampered with?

If's he's a security researcher, he might actually appreciate samples of real government spyware to research.

I saw a talk by him this year.

He will probably be happy to receive this gear back to begin messing with people potentially on the other end. I wish I could find the video, it was a recorded talk.

I think you are overestimating both the ability and the budget of the FBI.

The FBI are a government agency, with some funds, and they had physical access to the devices, for some time.

The devices absolutely cannot be trusted.

Whether a person cares about trusting the FBI or not (or thinks they're happy with just flashing the firmware and replacing the harddrives) is another thing.

I think you overestimate how hard it is to add spyware to a system. Esp. if said system is not a unique design. And things like SMM makes it really easy to hide this stuff.

E.g. I would trash the computer bacause you really can not be sure what was done to it.

The FBI abilities do not end with them. There is a host of 3 letter government agencies they can (and have) gotten assistance from.

But, in this case. I seriously doubt this guy is worth trouble... Unless government knows more about him than we do (e.g. he sells stolen intel to highest bidder).

The question is if any of that equipment can still be trusted.

It'd be interesting to closely examine that equipment now (look for intrusions, take firmware dumps, etc.). Especially any outlier chips, like the radio. Maybe he can get Apple to help :-)

Why trust it when you can sell it to someone else and buy equivalent equipment?

Then the FBI will be knocking down someone else's door.

Inspect it for hardware modifications, and, assuming there are none, perform a factory reset and you're good.

The amount of engineering the Feds would have to do to ensure a hack evades those two safeguards is prohibitive.

If they've already done the engineering it's not a big cost.

For all we know, this kind of thing is nearly COTS in the FBI/NSA/CIA/TLA world. The question becomes: do they let one of their toys fall directly in to the hands of a security researcher?

They would be stupid to do that. On the other hand, some agencies better than others . . .

They would have to do it for all commercially-available devices. Why would they pick the one device you have to compromise and leave out all the others. You'd need a special government department with maybe a hundred employees taking every device coming out commercially and figuring out durable, undetectable compromises, where it's not even a given that it's really possible to do so on them.

If you're insinuating they do this already, then don't you think that would have been the very first bomb dropped by Snowden? Snowden had access to everything. You don't spin up a department like that overnight, it takes years before the department will work well enough to rely on in different situations.

Snowden very much did release information about model standarized intrusion techniques based around firmware exploitation with physical access.

Obviously they investigated it. But there's a big difference between exploring at how it could be done and actually producing and distributing real exploits that could be used by Joe Shmoe, federal agent.

this is dangerously misleading advice, firmware exploits are known to exist and have been used by the USG on targets of interest.

Reset the firmware too.

Also, just because they have people that can compromise individual devices in the context of a field operation doesn't mean those people are available for regular law enforcement ops, any more than you could get an NFL coach to head up your son's kiddie league team. The scale of engineering is totally different.

how do you propose knowing the firmware is reset? The firmware tells you?

Documents have shown the NSA takes active interest in privacy and security advocacy groups, the EFF sounds right in their ballpark.

Agreed; people overestimate the technological expertise of the U.S. Govt. -- in my anecdotal experience they're laughably behind.

Isn't that what we thought before Snowden showed us the NSA reprogramming firmware? I know that I said it was being blown out of proportion when the Snowden leaks started, and boy was I wrong.

Snowden showed us that the 5-eyes countries are actively producing and marketing - in their own secret organizations with secret, anti-democratic agreements - massive-scale spy and intrusion technologies. Anti-democratic, freedom-defeating agreements for the purpose of total information control over human civilization.

Massive-scale, actually: full-spectrum.

There are no aspects of modern technology infrastructure that are off the table in these realms: all systems are targets. Planet-wide.

So, its not just that the NSA will be reprogramming firmware or putting key sniffers in your macbook or writing 0-day exploits. Its that they'll listen to everything, anywhere along the wire, as they see fit.

Even the things Snowden revealed required various industries to cooperate with the NSA. They weren't doing it on their own. Most portions of it were even designed and maintained by contractors! The people that work for these agencies are not savants... The people who work for the contractors however... They're terrifying. The NSA, FBI, etc. are red herrings -- look at MITRE, Booze Allen (consulting), etc.

I would assume it all depends on who in the government touched it. "The government" is a lot of people that don't share much expertise. Some of them have shown a lot of expertise however, and a will to use it maliciously.

"Behind" would assume there's someone else out there that's ahead. The state of the art of device security just isn't there yet for these kinds of compromises to be available to just any cop or agency.

Now, assuredly there's people out there that support field operations that could study the individual device and then exploit it given X number of days. To go from there to assume that USG can undetectably compromise most, or even a large enough subset of devices, is paranoid. The scale of that problem is much larger.

USG focuses on backdooring crypto for this reason. Much easier to compromise a few algorithms than it is to backdoor every device.

Actually being ignorant of the reality - which is that the upper echelon of "the US Gov't/MilComplex" has had capabilities far, far in advance of modern civil technology, for long enough now that it is a principle governor of the scene - is also one way that the condition persists.

Fact: NSA/et al. have a complete catalog of devices they can easily implant in any consumer/corporate/civil/military computing device. There is a veritable market within these spook agencies, as customers of each other, such that reaching for a phone-book sized volume of catalogs is where the implant selection process starts ..

There is also much evidence that our CPU's are designed for intrusion in the first place. This is the scarier scenario: it doesn't matter how secret you think you are, if you didn't make your own CPU, there's a back door.

Not only have tweets become news, they've become evidence of crimes. Law enforcement and newsgathering both have been reduced to searching for 140-character wisecracks and following the wisecrackers.

Why would a serious person, especially a security researcher, write a tweet except to manipulate the press or law enforcement?

How about a little white-hat opsec and infosec?

1. The tweet wasn't news, his arrest was news 2. The tweet wasn't evidence for a crime, it was evidence that a warrant was justified, and other evidence included a supposed admission to the FBI. See http://www.wired.com/wp-content/uploads/2015/05/Chris-Robert...

I wonder if you could play two gov agencies against each other: Dear IRS, I can't fill out the tax form because the FBI seized all my electronic equipment which contained relevant information. FBI's response to IRS's inquiry to return the devices: We lost them (alternative: we managed to destroy all data contained on them, pick one depending on how much you believe in hanlon's razor). The hypothetical me to IRS: I'm not paying any taxes until you guys figure that shit out lol.

While funny, I think that this falls into the trap of believing that the various bits of the government must operate robotically according to strict, logical principles. There are humans in the system who, for better or worse, can act according to what they perceive as the spirit, rather than the letter, of the law.

Is the EFF Client Chris Roberts, the game developer of Star Citizen?

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact