Slashdot Mirror
Russian Agency Charges FBI Agent With Hacking
eNonymous Coward writes "An FBI agent who helped lure two Russian 'hackers' to the USA in 2000 so that they could be arrested is now being charged with hacking himself by the Russian FSB. You might remember that Gorshkov and Ivanov exploited an NT vulnerability to steal information from corporate networks, which was then used to extort money from the companies; they're also accused of being behind the CDUniverse and Western Union credit card database thefts. Last year a federal judge ruled that the FBI's action was legal, but the FSB disagrees."
Turnabout's fair play, eh?
"Einstein argued that [...] God is not capricious or arbitrary. No such faith comforts the software engineer." ~ Brooks
I say extradite this fed to Russia, and hand him over to Dmitry Sklyarov. I'll leave the rest for you to imagine.
A crime, is a crime, is a crime, and should be solved officially. Stealing data is just a normal crime, also if it is done by FBI.
I believe the Russians have a very strong case here - the FBI invited them over to the USA and then asked them to hack a system, then bang them up for hacking. This is hardly fair - and the Russians are absolutely right: if the FBI were using keystroke-tracking software, they're the ones who were committing the offence.
It surprises me, though, that you have two very good hackers, and neither of them thought to err on the side of caution and check the computers they were working on for such things...
Like car accidents, most hardware problems are due to driver error.
What I notice is the US Govt's case is based on: 1> the fourth amendment doesn't apply cuz it didn't happen here, and 2> Russian law doesn't apply cuz it didn't happen there.
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
This was an interesting case. The description of how the agents lured the russian "hackers" to the US was beyond belief.
Michael was back at the office downloading data from their computers like mad while they took them to lunch.
The russians were very chatty, too chatty for their own good. IIRC they had something like 350 pages (an entire binder) of transcribed conversations with them. As is usual, the "hackers" were tooting their own horns.
I was called as a witness in the case to testify to data they had recovered and statements the russians had made. The russians had lied about the level of access they had. However, these people were very persistent, they spent a month or so just learning and tinkering trying to get a relatively small amount of data.
It's clear what their motives where though. They were stealing credit cards, setting up Ebay auctions and using proxy PayPal accounts to pay themselves for Ebay auctions they had setup themselves.
I got to learn how serious Paypal takes "hackers" and abuse. Both paypal and ebay (now the same) have dedicated professionals to tracking down "hackers" and fraud.
You know what might be interesting? Both the Russian and American laws may be right.
Think about it: the "sting" was under US jurisdiction as far as the physical location of the agents and the operation, so peeking at the records might be allowed. However, the hoovered computer was in Russia, so Russian laws apply to those efforts as well.
The what might help is to visualise what the non-computer version would be. Say the data in the US is a perfect fax of the Russian originals: did the agents "break and enter" into a data warehouse with forged keys, or did they trick the warehouse into voluntarily sending the copies? If the method in which these copies were obtained is illegal in Russia, are they still admissible in the US as evidence?
It's way too complicated, and I have no idea how I should feel about it.
"I can't understand how a federal judge can have the sort of authority to declase the action legal when it doesn't appear to be a federal matter."
The case appears to be before Judge Coughenour, a federal judge sitting in Seattle. During the course of a typical case, judges routinely have to rule on federal and state legal issues that come up. On federal law questions, the judge looks primarily to the past decisions by the US Supreme Court and the 9th Circuit Court of Appeals.
For state law issues, Judge Coughenour has to apply and abide by past rulings of the Washington State courts, and especially its Supreme Court.
For a specific example, the Russian defendants can claim rights under both the 4th Amendment to the US Constition and similar provisions of the Washington Constition against unreasonable search and seizures. You may have more (or fewer) rights under your state constitution than you do under the Federal. Coughenor would look to federal precedents to decide the federal issue and look to state precedents to decide the Washington state issue.
If the Russians think that Coughenor gets either the state or federal issues wrong, they can appeal to a higher Federal Court of Appeals and on the state law issue, there is a process for the Court of Appeals to ask the Washington Supreme Court for their opinion.
On the issue of who wins the dispute over whether the FBI agent broke Russian law, there is no single answer. If the Russian courts ultimately decide the FBI agent broke their laws, they can convict him and sentence him to prison. Their problem is getting hold of the FBI agent to put him on trial in the first place. Don't look for a U.S. Court to order that a Russian extradition request for the FBI agent be honored. This case should make a nice final exam question for "Conflicts of Law" courses in lots of US law schools next May.
Did you notice that the US courts accept the fact that data is just as much property as your car is (for the MPAA's sake), and the fact that it is clearly not (if it has been gathered as evidence)?
Did you also notice the fact Russian law does not apply the federal agents hacking Russian computers, but clearly US law applies to Russians hacking American computers?
This is disgusting...
-- Please put this in your sig if you think
What I notice is the US Govt's case is based on: 1> the fourth amendment doesn't apply cuz it didn't happen here, and 2> Russian law doesn't apply cuz it didn't happen there.
The FBI is using the courts' confusion over the internet to muddy the waters about where the crime took place and who should have jurisdiction. This twists the situation around so that Dmitriy is a US criminal for doing something in his own country that's entirely legal in his own country, and the FBI can do anything illegal in the US and not have to answer to US law.
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
The alternative (the one the Russian FSB [Federal Security Bureau], formerly known as KGB [Committee for State Security]) and certain French censorship judges want is that you are somehow subject to all laws combined - which is a horrible mess. Is this post subject to UK law? (I'm in the UK ATM) Or US? (US server) Or Canadian (accessable from Canada) - in which case it should probably be translated into French as well?
This seems simple to me: when in country X, you are subject to the laws of country X. Everybody else should STFU: I will not accept French, Russian or for that matter Taleban laws as applicable in any way except on their own soil. Hell, if the former KGB considers the FBI's investigation illegal, imagine how illegal the CIA spying on the USSR is - or those spy satellites Boeing and Lockheed make?
What is interesting, is that those hacker had "no expectation of privacy" according to US judge. Does it implies that in US you have no expectation of privacy when using computer at work, public library or internet kiosk?
MSDOS: 20+ years without remote hole in the default install
The difference is that normally if FBI wants to do any operation in other country, it had to cooperate with that country officials. If they just come to another country, and do a search without obtaining search permit from that country's officials, that would be a crime.
As you rightfully mentioned, just becuase it involves computers and not drug traffiking/dealing does not make it much different - FBI performing illigal search in other country [Russia] and hacking computers in Russia without obtaining permit from Russian court was commiting a crime. Pretty straightforwrd, is not it?
MSDOS: 20+ years without remote hole in the default install
http://www.canoe.ca/CNEWSTechNews0105/10_hackers2- ap.html
High-tech net snags hackers
By ALLISON LINN-- The Associated Press
SEATTLE (AP) -- Invita Security Corp. looked like a typical Internet company: It had offices, computers, employees and a secure computer system. The only thing missing was the customers.
Far from being a failed start-up, the aptly named Invita turned out to be a bogus company set up by the FBI to ensnare two young Russians accused of breaking into U.S. Internet companies' computers, stealing sensitive data and trying to extort money.
Authorities say Alexey Ivanov, 21, and Vasily Gorshkov, 25, both of Chelyabinsk, fell for the bait. They were arrested and jailed on charges including conspiracy and fraud and are set for trial May 29 in federal court in Seattle.
The FBI declined to comment. But in recently unsealed court documents that read like a spy novel, agents tell how they snagged the alleged thieves by creating the shell company and inviting Ivanov and Gorshkov to try to hack into it.
After Ivanov and Gorshkov succeeded from afar, FBI agents posing as Invita employees invited the two to Seattle to discuss a partnership and further display their hacking prowess.
As the Russians demonstrated their skills at the shell company, the FBI used a computer eavesdropping technique to reach across the Internet and break into the suspects' own computer system in Russia.
Internet security experts say the case illustrates well how the FBI's cybercrime-fighting abilities have evolved -- though the defense is questioning the legality of the agency's methods.
"What they did was phenomenal. It was exceptionally effective," says Kevin Mandia, who worked for the Air Force office of special investigations and taught FBI courses in hacker attacks before joining the Irvine, Calif., Internet security company Foundstone. "Five years ago they wouldn't be able to do that kind of thing."
Mandia says that the FBI, after being ridiculed as ill-equipped to fight computer crime, has made remarkable progress, including adding a program that has trained more than 1,000 agents in cybercrime.
The FBI believes the Russian suspects or their associates could have been involved in hundreds of crimes against U.S. companies, including Kirkland-based Lightrealm.com, an Internet access company, and Palo Alto, Calif.-based PayPal, an online payment business.
First, the FBI alleges, the hackers broke into computer systems. Then, authorities say, they sent e-mails to company officials demanding payment in exchange for not distributing or destroying sensitive documents including financial records.
After tracking down the suspects over the Internet, the FBI invited them to Seattle in November for the Invita gambit.
Court records show that while Gorshkov was using an Invita computer, the FBI secretly used a "sniffer" program that logs every keystroke a person types.
Using passwords recorded by the "sniffer," the FBI was then able to enter the computers in Russia where Gorshkov kept his data and download immense amounts of information.
In court documents, Gorshkov's lawyer, Kenneth E. Kanev, has challenged the FBI's right to use that material, claiming his client's privacy was invaded because he did not consent to have his computer usage recorded. Kanev contends the FBI should have obtained a search warrant before downloading the information.
The investigators say they were forced to follow this procedure because they needed to secure the incriminating information before the two suspects' Russian counterparts destroyed the data.
The Invita case could define how far U.S. law enforcement can go to catch non-citizens who break into American systems.
"This case is going to resolve a very thorny legal question," says Marc J. Zwillinger, a former Justice Department computer expert now in private practice in Washington.
The case could test the admissibility of evidence obtained through the covert recording of computer keystrokes, a technique the FBI also used in a case against an alleged mobster in New Jersey, Nicodemo S. Scarfo Jr., that is expected to go to trial later this year.
Today's most serious hacker threats come from outside the United States or go through computers abroad. Russian hackers, in particular, have been behind several of the biggest Internet theft cases.
US is now divided as the "Red" and "blue" states. Red States = communist countries. Coincidence? I think not
Excuse me? Is there *any* legal basis for that? You only need apply for a search warrant after you've confiscated all the material you need if you think the bad guys might try to cover their tracks?
Incidentally, if the FBI agents knew all along that they wanted to access this data, why didn't they apply for the search warrant before starting the whole sting operation?
Let's hope that other nations will help reign in the US law enforcement and legal system, for the benefit of everybody in the world.
Oh, it sounds good to set up these little questions, but actually every single one is answered by well-defined law. Of course, in each case, it's only the former ("OK") category when the action complies with the existing law within the jurisdiction of the agent committing the act. Usually, in international affairs, there is no defining jurisdiction -- and therefore, the action is not "OK".
That's why the Bush administration's go-our-own-way, knee-jerk unilateralism is a Bad Thing. The United States has spent 50 years helping craft an international environment that handled many of the cases offered above -- and, overwhelmingly, handled them in a way favorable to both the narrow interests of the United States and, amazingly, to the cause of human dignity and freedom.
Now that we're the world's sole military superpower, and darn near the world's sole economic superpower, Bush & Co. think we can ride roughshod over the international agreements that form that framework. (And we're not talking Kyoto or ICC -- they've played pretty fast-and-loose with the Geneva Convention, too.) With no defining jurisdiction agreed between sovereign nations, each feels justified to do whatever it wants. Ironically, with no defining jurisdiction agreed between sovereign nations, none actually are justified.
When you undermine the idea of international law, you make everyone into vigilantes. As a die-hard American patriot, it pains me to see my country turning into a "rogue state".
The Mongrel Dogs Who Teach
looking at:
He also found that the Fourth Amendment did not apply to the computers, "because they are the property of a non-resident and located outside the United States," or to the data -- at least until it was transmitted to the United States.
and
Finally, Coughenour rejected defense arguments that the FBI's actions "were unreasonable and illegal because they failed to comply with Russian law," saying that Russian law does not apply to the agents' actions.
That sounds scarily close to saying "US Law doesn't apply to our actions" and "Russian Law doesn't apply to our actions" so we'll do whatever we damned like...
a grrl & her server
Go look up the fourth amendment. It doesn't say 'residents'. In fact, neither 'resident' nor 'citizen' occurs in the bill of rights - referred to instead are 'people'. This entire notion that the bill of rights doesn't apply to foreigners is sheer fabrication - but one we've seen a lot of recently and one I sadly predict we'll be seeing a lot more of before things get better...
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Do you really believe in a great conspiracy by the rest of the world that aims bringing the USA down and that other countries are incapable of setting up fair trials?
You don't read this site very much, do you? It is riddled with comments about hoping that American's 'get what they deserve', whatever that may be. And supposedly this site is supposed to cater to the more enlightened masses.
As a general rule the US does not allow its armed forces to be commanded by non American's. The reasoning behind this is that it's been shown that American troops are more effective this way. Part of this is also that it's troops are responsible to US military courts as well. Having US soldiers brought before a different court system would be a blow to one of the fundamentals of the US military and hurt combat effectiveness.
Besides this, we in the US believe in a 'jury by your peers'. A world courty is hardly that.
The whole point behind the Carnivore system is that the data is captured but not examined until you have a search warrant.
Schroeder's cat: If I have a copy of data I can't access, at what point is the data actually "seized"? When it is a copy of bits, or when it is examined and found to be data?
Never confuse volume with power.
Wrong number of arguments or invalid property assignment: 'instr'
No article.. ;(
<^>_<(ô ô)>_<^>
The same reason why we all don't work for One Big Company. Diversity is good. It may allow for conflicts to exist, but such events are required in nature for us to learn and grow.