FBI Accidentally Received Unauthorized E-Mail Access

AmishElvis writes "The New York Times reports that 'glitch' gave the F.B.I. access to the e-mail messages from an entire computer network. A hundred or more accounts may have been accessed, rather than 'the lone e-mail address' that was approved by a secret intelligence court as part of a national security investigation. The episode was disclosed as part of a new batch of internal documents that the F.B.I. turned over to the Electronic Frontier Foundation, as part of a Freedom of Information Act lawsuit the group has brought."

FISA court: whatcouldpossiblygowrong

[davidwr]

Oh wait too late.

Better cover it up.

Oops, we botched that too.

Unauthorized in today's world?

[russlar]

Can any kind government access be considered unauthorized anymore? There have been so many executive orders, bending of laws, etc. that just about every form of government access to information is authorized by something.

Re:Unauthorized in today's world?

[fishbowl]

"There have been so many executive orders, bending of laws, etc. that just about every form of government access to information is authorized by something."

Sounds fine on Slashdot, alt.politics groups, or black helicopter chat, but in reality you can't even try to go in with that position as a prosecutor. Even a conservative judge will hand you your ass.

Re:Unauthorized in today's world?

[Original+Replica]

just about every form of government access to information is authorized by something.

I think what the GP meant was that there would be some sort of quasi-official authorization. Along the lines of making all of the evidence classified beyond the judges level to ever see the it, or some kind of DHS gag order + infinite postponement of the trial. Simply a classified letter from an FBI big telling the prosecutor or judge not to pursue the matter any further might work just fine. The is a fair amount of risk in challenging it, a risk many people would not like to take. I'm sure there are ways for the security portions of the government to be technically "cooperating" but never actually have to really answer to a judge. There are parallels to this kind of behavior where the politically powerful simply refuse to comply with the law and seem to be getting away with it.

Trust the FBI?

[Frosty+Piss]

So they "accidentally" gained access to more than what they where supposed to? Aren't we supposed to be able to TRUST them to stick to what they where authorized to access even if they "accidentally" gained greater access? If we can't trust the FBI, who can we trust?

Re:Trust the FBI?

[imipak]

Glitch? Now where have I heard that word before...

Still, it's reassuring to know that cockup still beats conspiracy, given enough time and sufficient monkeys.

Re:Trust the FBI?

[LilGuy]

In my previous job I accidentally granted myself access as a domain administrator, not believing it would be so incredibly easy to do. That was grounds for firing, though they hung on to me, after I showed them I could also reset the passwords for anyone in the company using their in-house password utility.

The FBI will have no fear of any such consequence. Illegally overstepping their bounds and then saying "oops" is about all you'll hear about this ordeal. I'm sure some calls for investigation will be made and someone might have a dispassionate speech on C-SPAN and then it will all be swept under the rug. It might even pave the way for the FBI to request this type of access for the future if they can "prove" that it's in the interest of "national security".

Re:Trust the FBI?

[techno-vampire]

The FBI will have no fear of any such consequence. Illegally overstepping their bounds

This being Slashdot, I can probably assume that you didn't bother to RTFA before posting, but if you had, you'd have kept your foot out of your mouth. The FBI requested that an ISP send them copies of all email sent to one address at a small domain. The ISP screwed the pooch and sent them all email sent to that domain. The FBI noticed that they were getting way too much email, found out what had happened and corrected it. At no time did they overstep their bounds, because they only asked for what a judge said they were entitled to. I hope this makes enough sense to you that you can remove your tinfoil hat, but frankly, I doubt it.

Re:Trust the FBI?

[Artifakt]

It's not blind acceptance if you have evidence. To believe the FBI is lying about this, you have to also believe that they have voluntarily come clean about a situation where they could have just hidden all the facts by merely never bringing them up. They would have to be both honest and exceptionally punctilious, doing their full duty in accordance with the law, when it comes to some points we actually know, and dishonest only on one of the points we can't directly verify.
        Yes, that's still possible, but since it leads to very complex plots that seem likely to unravel at the slightest glitch, or otherwise don't usually make a lot of sense, most of us figure the facts we observe support the FBI having played fair with the law, at least in this case. We extend them a certain amount of trust, because simply shutting up about the whole thing is a strategy a criminal organization would so likely use in a case such as this. That's not necessarily unlimited trust, but the action itself is definitely reasoned, not blind.
      If I see somebody wearing an orange shirt and carrying a lit flashlight, and he claims he wasn't out to sneak around in the dark, I'm not blindly accepting anything to believe him.

Re:Trust the FBI?

[techno-vampire]

I RTFA, and found their claim reasonable under the circumstances. There didn't seem to be any reason for them to be interested in anybody's email other than that one person's, so why go to the extra effort of reading it?

Re:Trust the FBI?

[number11]

The ISP screwed the pooch and sent them all email sent to that domain. The FBI noticed that they were getting way too much email, found out what had happened and corrected it.

So, the users whose mail was wrongfully given to the FBI could sue the ISP, then. Oh wait, the FBI isn't going to tell them about it. It's not going to tell anyone what the domain is, or who the ISP is, either. State secret.

Re:Trust the FBI?

[justinlee37]

So, the users whose mail was wrongfully given to the FBI could sue the ISP, then. Oh wait, the FBI isn't going to tell them about it. It's not going to tell anyone what the domain is, or who the ISP is, either. State secret.

That might tip off the person whose e-mail they were reading.

Re:Trust the FBI?

[FrkyD]

Is it so hard to believe that there might be liberals who don't like what Bill Clinton did, don't trust what his wife would do and still manage to find most everything the Bush administration has done to be seriously screwed?

I know of at least one...

Headline: Sysadmin fouls up filter

[Jimithing+DMB]

Seriously. What's the story here? Some sysadmin who apparently didn't know what he was doing put the wrong thing in his e-mail server configuration and inadvertently sent all e-mail for the entire domain instead of e-mail for one address.

Mistakes happen all the time. The appropriate thing to look for is whether the mistake was caught and corrected in a timely fashion. It seems that the mistake was caught and corrected in a timely fashion which basically makes this a story about an everyday occurrence.

This story might make a good one for some sysadmin journal reminding sysadmins to document policies that help ensure mistakes do not happen and if they do are caught by the company itself instead of by the FBI. For example, a simple procedure would be to check the appropriate logs after changing the configuration to make sure the configuration is doing what it was intended to do.

Re:Headline: Sysadmin fouls up filter

[vertinox]

Mistakes happen all the time. The appropriate thing to look for is whether the mistake was caught and corrected in a timely fashion. It seems that the mistake was caught and corrected in a timely fashion which basically makes this a story about an everyday occurrence.

I think the idea is if this happens once it could happen again without too much effort. There is no real oversight on how the FBI, NSA, DHS, or any other organization acquires information nor a transparent way to gather such data.

Now, I really don't see any malicious intent on the FBI with this since of the old adage "Never attribute to malice that which can be adequately explained by stupidity." but I get the sinking feeling that they would often find themselves in situation in which they are too lazy to follow procedure and due process like maybe a warrant.

Re:Headline: Sysadmin fouls up filter

[Jimithing+DMB]

Funny. Obviously it's not routine at all so the chances of making a mistake are even greater. You don't need to file it in some secret folder though. It's no secret at all that when the government produces a valid warrant you need to comply with it or be held in contempt of court. And if I were the sysadmin, I'd be looking through the e-mail myself, not just sending it to the government. If the government is that interested in it then something very wrong is most likely to be going on and I'd like to know about it if it's happening on my network.

Where I used to work we occasionally set up our own eavesdropping of mails. For example, when a top-level employee who no one trusted was about to be fired we archived all of his mail and put in some hooks so the big boss's could read all of it. Upon reading the guy's comments like "Man, I soaked these suckers for so much cash making them think I could sell their services" it only reaffirmed the big boss's decision to fire the guy for nonperformance.

Also very good just in case he tried to come back with some bogus suit about being unjustly fired. E-mail is not a private means of communication, particularly corporate e-mail.

Re:Headline: Sysadmin fouls up filter

[Jimithing+DMB]

You did read the article right? It wasn't the FBI that screwed up. The FBI caught the mistake that the company's sysadmin made when setting up the eavesdropping.

Yes, it can happen again without too much effort. What are you going to do to fix it? Send the FBI in to set up the eavesdropping themselves so the sysadmin doesn't screw it up? Keep in mind we're talking about a run of the mill court-ordered warrant here. It's a very standard and very legal way to gather evidence. This story has very little if anything at all to do with post-9/11 surveillance or FISA or anything else that might be questionable or debatable. No where in the article does it say that the surveillance was set up as part of a FISA warrant which leads me to believe that the Times reporter is trying to feign a connection for scare value.

I hate to say it but I think the debate is pretty much closed on court-ordered warrants. If the court orders them and you don't have any legal argument to squash the order then you have to comply with it or be found in contempt of court. There's nothing really secretive about the process either, except ideally to the person who's being surveilled.

Re:Headline: Sysadmin fouls up filter

[Jimithing+DMB]

Oh noes, some idiot sysadmin accidently sent my e-mail to the FBI. Someone call a congressional hearing.

If it's that confidential that someone else seeing it would be a serious problem, use encryption. There's no way they accidently get copies of your crypto keys. Better yet, don't send it in an e-mail, don't write it in a letter, and don't say it over the phone. If it really needs to be kept a secret, have a face to face meeting. If it doesn't need to be kept that much of a secret (and 99% of things don't) then some lackey at the FBI knowing about it is not going to be a problem.

Whose Glitch?

[Doc+Ruby]

F.B.I. officials blamed an "apparent miscommunication" with the unnamed Internet provider, which mistakenly turned over all the e-mail from a small e-mail domain for which it served as host. The records were ultimately destroyed, officials said.

Whose "glitch"? What was the "apparent miscommunication, exactly? Did the FBI tell the ISP to give them the total access that the court hadn't authorized, or did the ISP make the mistake and give them total access when asked for only limited access? Maybe the FBI is citing that totally ambiguous blame, but what is the real story?

If the ISP screwed up, then it should get sued by the extra people whose mailboxes it turned over without authorization. If the FBI "screwed up", then it's just another example of why these courts cannot be secret if the government is to do its job protecting our rights - including protecting us from the government.

Re:Whose Glitch?

[fizzywhistle]

Interesting definitions. To me chatting up a 13 year old who turns out to be an FBI agent is a "apparent miscommunication". Spying on the wrong people in violation of a subpoena (I assume a judge ordered this) is not "miscommunication" if it also "technical glitch". It can be one or the other, but not likely both. Somebody dropped the ball. Yes, it is a big deal.
Imagine if a sysadmin "accidently" rerouted the companies email to their competitors (which might even be legal, if stupid)... Would the FBI accept an "opps" excuse from our afore mentioned "child predator"? I think not.

Re:Whose Glitch?

[techno-vampire]

Telling the ISP also what they'd do if they were telling the truth. And, "managing the story," as you call it, is just good public relations. You seem to have decided that no matter what happens, or what is uncovered, the FBI is at fault, and interpret everything from that POV. I, OTOH, see no reason, yet, to disbelieve them, but I'll look at any new evidence with more of an open mind than you appear to have on this subject.

Re:Whose Glitch?

[Trick414]

This doesn't appear to be a FISA letter, so the FBI didn't "tell" the ISP to do anything the court hadn't authorized. Ok, sue the ISP. For all the harm it did you. The FBI got some records it didn't request in a lawful court order and it told the organization it requested the records from. The FBI may or may not have read every single one of the emails that it got unlawfully, but until they try to prosecute someone on those records it is a non-event. There is no story here. I have been reading /. for the last several years and finally decided to register. I really like the tech articles, but the whole tin-foil thing just has to go away.

What I want to know

[causality]

A hundred or more accounts may have been accessed, rather than 'the lone e-mail address' that was approved by a secret intelligence court as part of a national security investigation.

When I read this, I wasn't wondering how that happened, or what the nature of the "glitch" was, or how many accounts were accessed. What I was wondering is WHY THE FUCK DOES THE UNITED STATES HAVE A SECRET COURT OF ANY KIND?!?!. Yeah yeah, to protect the children, save the whales, stop the terrorists, keep you safe, "our intentions are pure and we're really a bunch of big-hearted individuals who care about your well-being" etc... I still don't know what is wrong with the assholes who actually believe this shit.

And hell, I want to believe we have a good, honest government. The fact is, we don't. I don't understand what being in this level of denial is supposed to do to remedy the situation. There is a very good reason why the founding fathers intended for most of our interaction with government to come from the local and state level. The only thing the federal government can do that the state & local governments cannot do is resolve disputes between states, conduct foreign policy, regulate interstate trade, oh and it can slowly become a dictatorship too. Speaking of remedies, I'm betting that nothing will happen either to the FBI as an organization or to the individuals who made this "mistake", that at most they will receive a slap-on-the-wrist.

Re:What I want to know

[nguy]

What I was wondering is WHY THE FUCK DOES THE UNITED STATES HAVE A SECRET COURT OF ANY KIND?!?!.

This is not a "secret court" in the sense of a court that sends people to prison (the US has those, too, but they are still limited to the military and Guantanamo). Rather, it's a court that acts as an additional control for police and secret service actions.

Such a "secret court" is a good thing, because it provides judicial review for actions that would otherwise not be subject to judicial review at all.

Re:What I want to know

[achbed]

Such a "secret court" is a good thing, because it provides the appearance of judicial review for actions that would otherwise not be subject to judicial review at all.

Fixed that for you.

Check out the denial records of that court since the 70s. That should tell you just how detailed the FISA rubber stamp looks at those warrant petitions.

Mistakes happen but only continue to happen...

[3seas]

... when you let it continue to happen.

"But an intelligence official, who spoke on condition of anonymity because surveillance operations are classified, said: "It's inevitable that these things will happen. It's not weekly, but it's common."

This falls into the area of cheating in a manner that an excuse can be used to "get away with it". This sort of cheating had been labeled "Neo-cheating" and is a form of dishonesty that is easy to apply and safe from proof.. "Oh it was just an honest mistake." Technology should not be an escape goat for such obvious deceptions.

To give a simple example of a verification loop, when you sign up for a mailing list, messages boards, etc., in order to prevent spamming email accounts etc, there is a feedlack verification loop used. The point is, there are ways to prevent such spying "mistakes" from happening. And there should have already been such methods being applied as standard practice.

The "it's not weekly but its common" is nothing but evidence of intent to cheat and to continue it.

This "allowing deception" is similar electronic voting security failure vs. ATM financial security practices.

Computer technology is not an excuse, but a way for dishonest human intent to hide behind technology excuses.

Something doesn't fit...

[AnotherUsername]

Something is wrong here...I can't quite put my finger on it...

Wait a minute, that's it!

You're a spy! No self-respecting Slashdotter would willingly still have a Hotmail address! You're one of them!

Re:Something doesn't fit...

[UnderDark]

The guy is a spy! Burn him! Burn him!

Whose e-mails?

[RealGrouchy]

whose e-mail network was it that was revealed? Was it the NYT's network, or simply another one that they are reporting on?

(TFAS is ambiguous, and TFA is behind a login screen.)

Thanks,

- RG>

What we DON'T know

[Baraka]

• which ISP was involved
  
• how many individuals' accounts had their privacy compromised
  
• how many messages were captured by the FBI's data vacuum cleaner
  
• whether the messages were really destroyed or not (what does unspecified means mean?)
  
• whether the FBI is even telling the truth or not
  
• how many other times this kind of overproduction has occurred since 9/11
  

The writer of this article, Eric Lichtblau, won a shared Pulitzer Prize for his work in exposing the illegal warrantless wiretapping program, authorized by the government and championed by the White House after 9/11. In fact, it was in existence even before 9/11, but that's another story entirely.

This program supposedly expired just yesterday when congress let the clock run out on its dependent legislation. The problem here, clearly, is that it doesn't matter if this program is never renewed; overproduction of data under FISA will still happen all the time. That's the entire point of this article. There are no checks and balances. There is no accountability. There is NOTHING. Total secrecy and legal immunity are all but guaranteed for the perpetrators. Period.

Neither question is important

[ShinmaWa]

Two important questions here: Actually, neither of them are important.

If the ISP actually misunderstood the surveillance request, why didn't they get confirmation? Asking for one person's email to be sent is one thing, but a request for the entire domain's email to be forwarded sounds too broad to be legitimate. It sounded to me, from reading TFA, that it was an accident on the part of the ISP. The FBI didn't ask for it.

When the FBI found they were getting email from individuals other than those they wanted. Did they promptly delete the email unread and report to the admin? Or did they think, "Hmmmm. Well, since we're already getting it..." ...and anything they read in there would be inadmissible in court since it wasn't obtained from a proper warrant. So why bother?

The truth is that FBI agents are actually very, very busy people. They are often working a bunch of cases at once and they don't have enough time to go on illegal fishing expeditions that wouldn't be admissible in court anyway. It is almost certain that the FBI agents not only didn't read the email they weren't looking for, but actively stopped the problem and got rid of the excess because sifting through a mountain of crap would only hinder their investigation. In either case, the FBI did report the issue to both the court AND their executive oversight (that would be 2 branches of government).

You can wear your tinfoil hat if you want, but it really seems to me that the FBI didn't ask for it, didn't want it, stopped it when they noticed it, and reported the issue to the proper oversight authorities. I'm just not seeing a scandal here.

Ok, seriously...

[cjb658]

...why do people still send sensitive email unencrypted?

I wonder how long before ...

[saltydog56]

I wonder how long before the government will require some sort of security clearance or background check on telecommunications workers and sysadmins on the basis that setting up these taps and email filters makes them privy to at least some of the details of who is being watched and why. What if any steps is the government taking to insure that the lowly sysadmin does not give the target of the investigation a heads up saying that they are being watched?

Re:FISA court: whatcouldpossiblygowrong

[Z00L00K]

Which leads to the conclusion - run your own mailserver.

A cheap Linux box running Sendmail and an installation of OpenSSL to let Sendmail be able to run SMTPS.

On top of that use a POP3/IMAP server that can do POP3S/IMAPS and you can access your mail without the risk of an accidental peek.