Sophos cybersecurity expert Chester Wisniewski provides excellent, topical and timely commentary on the FBI’s recent use of a malware-like method to forcibly clean up hundreds of servers still infected in the Hafnium aftermath.
With Paul Ducklin and Chester Wisniewski
Intro and outro music by Edith Mudge.
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
WHERE TO FIND THE PODCAST ONLINE
You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.
Or just drop the URL of our RSS feed into your favourite podcatcher software.
If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.
Jack Wilborn
Fact is that you are justifying a criminal act (hacking another computer) against someone that has not committed a crime. So much for a right to privacy. The FBI is a functioning piece of malware.
— frustrating, but fun to listen to you all — take care (8′)
Paul Ducklin
I’m not sure how this case subverts anyone’s “right to privacy”. This isn’t a question of a warrant to log the data of people who aren’t suspects in the hope of capturing some of a suspect’s data in the midst of a giant data fishing expedition.
If there was a threat to privacy here, it was the wide-open, insecure, already-hacked Exchange servers where crooks without warrants could wander in at will and snoop as they liked. You can argue that users with email accounts on those servers were much better off privacy-wise after the FBI came and went.
Anyway, my understanding is that warrants aren’t issued just for “investigating suspected criminals”, but for many different purposes including gathering evidence that might be relevant to criminality (the cops can get a warrant to search my shed if they have good cause to expect to find evidence in there, even if they think I have no knowledge of who put it there and when), disrupting criminal activity, and protecting others from becoming victims of crime. For example, when the cops present a warrant to a telephone company or to a bank to request data that might relate to crimes, there’s no suggestion that the phone company or the bank is being investigated for allegedly committing a crime.
For all that you might decide to object to this malware takedown exercise on principle, I don’t that you can cry “privcy invasion” in this case…
Sonia
Attacks are increasing and few understand the technical background, so perhaps many were glad they were helped. However, when giving a government institution the tools and legal framework to intervene in that way, it should be remembered that government interests can change. You can see it in a great many countries: state industrial espionage, despotism, homophobia, etc. etc
From a German perspective, I always ask myself the simple question: How many persecuted would have survived if the Nazis had had the powers and surveillance capabilities of today’s government?
You are probably right in this case, Paul, that this time more privacy was protected than violated, but it’s healthy to stay sceptical. I don’t know if the FBI needs some kind of independent judicial permission or if they can just go ahead and do some server hacking?
Paul Ducklin
Court authorisation was required (and received) in this case.
Trisha
If the exercise was conducted using publicly available and known exploits; and was executed with court authorisation; then I applaud the action. Basically, it could have been anyone – and on this occasion it was a government agency. Perhaps it will encourage some to take warnings and general security more seriously. Basically it’s showing proof of concept and execution of the published vulnerabilities. If it shook a few people up, then it did the job. If they patched or plugged the holes; then even better.
Paul Ducklin
As explained in the podcast, the cops didn’t break in using an exploit – they used the remote access tool (known as a webshell) that crooks who did use an exploit had already broken in an left behind.
This was not merely a “proof of concept” to show that an attack was feasible. They used an existing security hole installed by crooks who had already broken into the network to uninstall that self-same security hole.