Slashdot Mirror

← Back to Stories (view on slashdot.org)

DOJ Requests More Power To Hack Remote Computers

Posted by Soulskill on from the you-can-trust-us dept.

An anonymous reader writes "The U.S. Department of Justice says it needs greater authority to hack remote computers in the course of an investigation. The agency reasons that criminal operations involving computers are become more complicated, and argues that its own capabilities need to scale up to match them. An ACLU attorney said, 'By expanding federal law enforcement's power to secretly exploit "zero-day"' vulnerabilities in software and Internet platforms, the proposal threatens to weaken Internet security for all of us.' This is particularly relevant in the wake of Heartbleed — it's been unclear whether the U.S. government knew about it before everyone else did. This request suggests that the DOJ, at least, did not abuse it — but it sure looks like they would've wanted to. You can read their request starting on page 499 of this committee meeting schedule."

12 of 76 comments (clear)

  1. Do you really want to do that? by Opportunist · · Score: 5, Interesting

    You might not want to use something like this, at least you do not want to use it against criminals who themselves have a background in IT and especially IT security. Else you might be in for a nasty surprise, namely that they're employing a tripwire system that waits for someone trying to hack them as an early warning system.

    In other words, your attempt to hack the criminals doubles as a "the feds are coming" flare.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Do you really want to do that? by Anonymous Coward · · Score: 3, Interesting

      Even the clueless criminals, once they see the Feds are wanting to hack into their systems will start getting their friends who know what they are doing and updating things.

      It isn't hard to run the second set of books on an offline computer with a F/OSS operating system, an office suite that doesn't need activation, and USB flash drives for moving data. With a VM server like KVM, VirtualBox, or VMWare workstation, any programs that need Windows can run on a hacked copy.

      Network-wise, there are plenty of VPN services in countries not friendly to the US, but will be happy to take money from people in the country.

      So, long term, asking for hacking rights might be good for low hanging fruit (the guy in the parent's basement with the pot plant or two), but after a few seizures, the difficulty will increase since the bad guys will just use time tested methods of couriers and dead drops. A 128 GB MicroSD card can hold a lot of data. Using a diskless Linux distribution like Knoppix or Tails isn't that tough, so a computer used by a smart crook can have a Windows OS on there with a lot of decoy files... but the real stuff and the actual sets of books would be accessed via a bootable CD and a USB flash drive with a hidden, encrypted partition.

      One can point to how people are dealing with the border laptop seizures. Even people who have no reason to worry are now concerned about that. If that same fear/worry gets to common criminals, the police work will have to be done endpoint to endpoint physically, and criminals have taken countermeasures for this for thousands of years.

    2. Re:Do you really want to do that? by mlts · · Score: 3, Interesting

      If a criminal runs their books offline with no net connection, using a USB flash drive for physical transportation or moving encrypted data to an online PC, tripwire may not be needed.

      It wouldn't take much to scare criminals into moving their unencrypted stuff offline, then the DOJ has hosed themselves since all the juicy stuff they wanted easier access to is now inaccessible unless physical attacks are used.

    3. Re:Do you really want to do that? by sumdumass · · Score: 3, Informative

      Even the clueless criminals, once they see the Feds are wanting to hack into their systems will start getting their friends who know what they are doing and updating things.

      I don't necessarily disagree with what you are saying but you cannot really advertise a job to secure a criminal enterprise. What you are left with is either relying on only those you already know which might not be very cutting edge or seeking someone specific out and hoping they don't turn rat on you.

      In the former, I will just say that I don't know how many screwed up systems and wide open home networks I have seen installed by someone's rocket scientist kid, nephew, neighbor, work IT, church buddy, or whatever that had more WTF things going on than anything correct. Even following people sporting walls full of certifications and bragging about how good they are because of them sometimes turn out to be almost worthless for even simple tasks when following them into a small business. Those are usually the most dangerous- screwed up too. I usually find them running unpatched windows 200x servers directly open to the internet and half the ports opened up because they wanted remote access or something in the network needed it. They are often sporting more infections and malware than a porn surfing teens computer- because no one ever logs onto them to see the 5 million IE pop ups and error messages until something goes horribly bad and they just reboot thinking "I fixed it again".

      I'm thinking most criminals that aren't just doing it because of opportunity will already be into something like what you describe. A lot of people claim to know what they are doing but fail in spectacular ways.

  2. Illegal by casca69 · · Score: 5, Insightful

    Bluntly, if they would prosecute me for doing it, then they better damn well have a warrant and judicial oversight.
    Otherwise, it's breaking the law, and prosecution ensues.

    1. Re:Illegal by Anonymous Coward · · Score: 4, Insightful

      You are aware that the DoJ is a branch of government, right?
      When was the last time any branch was tried for doing something illegal?

    2. Re:Illegal by sumdumass · · Score: 3, Informative

      What happens and should happen are separate things.

      The concept of the king can do no wrong died a long time ago, got reborn and needs to be killed once again.

  3. Let them have it by fustakrakich · · Score: 5, Insightful

    Since they're doing it anyway (surely you're not going to believe their denials still, are you?), let it be public and provide incentive to build more resistant electronics.

    --
    “He’s not deformed, he’s just drunk!”
  4. Re:Let them have it = Holder has it! by BoRegardless · · Score: 5, Insightful

    Since our Atty General Mr. Holder, says he can choose which laws to obey, then there are no laws, no rules, except what he chooses to do.

  5. Remove computers can be anywhere ... by Alain+Williams · · Score: 5, Insightful

    including other countries; I did not notice anything in the article restricting this to computers in the USA. Other countries might not agree with the USA DOJ allowing computers in their countries to be cracked -- thus the USA cops/investigators will be conducting criminal acts in other countries -- how does that make them different from what the USA wanted to grab Gary McKinnon for ?

  6. Clear as day by Charliemopps · · Score: 4, Insightful

    So let me get this strait. The DOJ's argument is: "If we leave the door locked, how are we supposed to catch burglars?"

  7. No! by Hamsterdan · · Score: 5, Insightful

    If you (or myself) do the same thing, it's illegal, and we're gonna be prosecuted. The law is the same for everyone (at least it should be). I'm sick & tired of that shit. Police installing cameras (without warrant) to spy on people, inside their homes, warrantless wiretapping and every other thing that is *ILLEGAL* for the common people.

    If it's illegal for me to do it, it's illegal for them to do it. And yes, I hope it blows up in their faces.

    --
    I've got better things to do tonight than die.