I am always amazed at the authorities reaction to this. In the entire history of modern communications has a terrorist ever announced publicly and in advance that he/she/they are now going to go out to place "xyz" at time "nn:nn" and going to do "some despicable act", so please come arrest me?
There are examples of course about warning about planted explosives etc (The IRA did this all the time), but these never include an invitation to apprehend the actual culprit - but rather as terror tactics in their own right.
It doesn't matter. Authorities (at least their managers/directors) think in terms of PR/Damage Control and Risk. The fallout if they did nothing and something happened (maybe even just reporter reporting that tweet was ignored by FBI) would be enormous. Much, much worse than fallout that occurs for "overreacting".
And once they've reacted it's very hard to admit they are wrong or ever let go (as in they are unwilling to accept PR/blame). Just to avoid the .001% chance of headline "FBI had perpetrator in custody but let him go!"
Sadly, the public is a ignorant, fickle, short-sided, lynch mob. Public facing organizations are(have to be) driven by risk mitigation rather than being effective.
My hometown is mentioned, there was a successful bombing; so when a secondary school student made a bomb threat from a public telephone it was taken seriously. I was only 10 years old at the time, so beyond the evacuation of the school and surrounding buildings I don't recall any more details.
He would not sell these devices. He would be someone who feeds false information into them to screw with people that are on the other end, and laugh manically while doing so.
Maybe I have an overactive conscience, but I'd feel kind of wrong about selling without disclosing that I had good reason to believe it was compromised (a serious, unfixable, almost-invisible defect), and probably nobody would buy if I told them that.
Agreed. This would be similar to knowingly selling a defective device, only much worse.
But another thought that crosses my mind is that future disclosures and research may give him new insight to inspect the equipment and try to understand the extent of potential compromise. I would replace it but then hold onto it forever. Twenty years from now, the parts could be a goldmine for documenting what will surely be a historically significant time in the world of surveillance and privacy.
If they did have that capability they might seize the equipment to maintain the illusion that they did not.
The allied forces did this during the second world war. They could not admit that German encryption had been cracked, so if their only source of knowledge about an event was through breaking of encryption, they would not act on it - even if by doing so, large numbers of civilians would die, because in the long run - far more would be saved by bringing the war to a quicker end.
That's an interesting analogy, but I think that it's not the right one here. Surely the proper analogue would be if the FBI had derived information from their remote infiltration but didn't act on it, rather than if they seized the computer to pretend that they didn't have remote access it?
Part 1) This is according merely to an FBI affidavit [1] applying for a search warrant, much less a charge or conviction. Roberts has claimed he was misrepresented, albeit understandably coyly [2]. "Yes" is an uncritical answer.
Given the non-trivial value of his equipment (the MacBook Pro alone was probably >$1500), a slightly more constructive use might be to donate it to an organization that can use it in a non-sensitive environment (e.g., a school that could give it to a student).
Sure, the equipment might not be trustworthy in a secure environment, but I highly doubt that anyone would really be interested in a high schooler doing his/her CS homework on it.
Im sure someone like Kaspersky Labs would be more than welcome to buy his stuff at a market value.
at the same time I wonder if crazy US agencies wouldnt call for treason charges after Kaspersky discovery of an implant, or even before, or even claiming his equipment is federal property now like in the case of GPS trackers.
He will probably be happy to receive this gear back to begin messing with people potentially on the other end. I wish I could find the video, it was a recorded talk.
The FBI are a government agency, with some funds, and they had physical access to the devices, for some time.
The devices absolutely cannot be trusted.
Whether a person cares about trusting the FBI or not (or thinks they're happy with just flashing the firmware and replacing the harddrives) is another thing.
I think you overestimate how hard it is to add spyware to a system. Esp. if said system is not a unique design. And things like SMM makes it really easy to hide this stuff.
E.g. I would trash the computer bacause you really can not be sure what was done to it.
The FBI abilities do not end with them. There is a host of 3 letter government agencies they can (and have) gotten assistance from.
But, in this case. I seriously doubt this guy is worth trouble... Unless government knows more about him than we do (e.g. he sells stolen intel to highest bidder).
It'd be interesting to closely examine that equipment now (look for intrusions, take firmware dumps, etc.). Especially any outlier chips, like the radio. Maybe he can get Apple to help :-)
If they've already done the engineering it's not a big cost.
For all we know, this kind of thing is nearly COTS in the FBI/NSA/CIA/TLA world. The question becomes: do they let one of their toys fall directly in to the hands of a security researcher?
They would be stupid to do that. On the other hand, some agencies better than others . . .
They would have to do it for all commercially-available devices. Why would they pick the one device you have to compromise and leave out all the others. You'd need a special government department with maybe a hundred employees taking every device coming out commercially and figuring out durable, undetectable compromises, where it's not even a given that it's really possible to do so on them.
If you're insinuating they do this already, then don't you think that would have been the very first bomb dropped by Snowden? Snowden had access to everything. You don't spin up a department like that overnight, it takes years before the department will work well enough to rely on in different situations.
Obviously they investigated it. But there's a big difference between exploring at how it could be done and actually producing and distributing real exploits that could be used by Joe Shmoe, federal agent.
Also, just because they have people that can compromise individual devices in the context of a field operation doesn't mean those people are available for regular law enforcement ops, any more than you could get an NFL coach to head up your son's kiddie league team. The scale of engineering is totally different.
Isn't that what we thought before Snowden showed us the NSA reprogramming firmware? I know that I said it was being blown out of proportion when the Snowden leaks started, and boy was I wrong.
Snowden showed us that the 5-eyes countries are actively producing and marketing - in their own secret organizations with secret, anti-democratic agreements - massive-scale spy and intrusion technologies. Anti-democratic, freedom-defeating agreements for the purpose of total information control over human civilization.
Massive-scale, actually: full-spectrum.
There are no aspects of modern technology infrastructure that are off the table in these realms: all systems are targets. Planet-wide.
So, its not just that the NSA will be reprogramming firmware or putting key sniffers in your macbook or writing 0-day exploits. Its that they'll listen to everything, anywhere along the wire, as they see fit.
Even the things Snowden revealed required various industries to cooperate with the NSA. They weren't doing it on their own. Most portions of it were even designed and maintained by contractors! The people that work for these agencies are not savants... The people who work for the contractors however... They're terrifying. The NSA, FBI, etc. are red herrings -- look at MITRE, Booze Allen (consulting), etc.
I would assume it all depends on who in the government touched it. "The government" is a lot of people that don't share much expertise. Some of them have shown a lot of expertise however, and a will to use it maliciously.
"Behind" would assume there's someone else out there that's ahead. The state of the art of device security just isn't there yet for these kinds of compromises to be available to just any cop or agency.
Now, assuredly there's people out there that support field operations that could study the individual device and then exploit it given X number of days. To go from there to assume that USG can undetectably compromise most, or even a large enough subset of devices, is paranoid. The scale of that problem is much larger.
USG focuses on backdooring crypto for this reason. Much easier to compromise a few algorithms than it is to backdoor every device.
Actually being ignorant of the reality - which is that the upper echelon of "the US Gov't/MilComplex" has had capabilities far, far in advance of modern civil technology, for long enough now that it is a principle governor of the scene - is also one way that the condition persists.
Fact: NSA/et al. have a complete catalog of devices they can easily implant in any consumer/corporate/civil/military computing device. There is a veritable market within these spook agencies, as customers of each other, such that reaching for a phone-book sized volume of catalogs is where the implant selection process starts ..
There is also much evidence that our CPU's are designed for intrusion in the first place. This is the scarier scenario: it doesn't matter how secret you think you are, if you didn't make your own CPU, there's a back door.
Not only have tweets become news, they've become evidence of crimes. Law enforcement and newsgathering both have been reduced to searching for 140-character wisecracks and following the wisecrackers.
Why would a serious person, especially a security researcher, write a tweet except to manipulate the press or law enforcement?
1. The tweet wasn't news, his arrest was news
2. The tweet wasn't evidence for a crime, it was evidence that a warrant was justified, and other evidence included a supposed admission to the FBI. See http://www.wired.com/wp-content/uploads/2015/05/Chris-Robert...
I wonder if you could play two gov agencies against each other: Dear IRS, I can't fill out the tax form because the FBI seized all my electronic equipment which contained relevant information. FBI's response to IRS's inquiry to return the devices: We lost them (alternative: we managed to destroy all data contained on them, pick one depending on how much you believe in hanlon's razor). The hypothetical me to IRS: I'm not paying any taxes until you guys figure that shit out lol.
While funny, I think that this falls into the trap of believing that the various bits of the government must operate robotically according to strict, logical principles. There are humans in the system who, for better or worse, can act according to what they perceive as the spirit, rather than the letter, of the law.
