FBI Accidentally Received Unauthorized E-Mail Access 122
AmishElvis writes "The New York Times reports that 'glitch' gave the F.B.I. access to the e-mail messages from an entire computer network. A hundred or more accounts may have been accessed, rather than 'the lone e-mail address' that was approved by a secret intelligence court as part of a national security investigation. The episode was disclosed as part of a new batch of internal documents that the F.B.I. turned over to the Electronic Frontier Foundation, as part of a Freedom of Information Act lawsuit the group has brought."
Headline: Sysadmin fouls up filter (Score:5, Insightful)
Seriously. What's the story here? Some sysadmin who apparently didn't know what he was doing put the wrong thing in his e-mail server configuration and inadvertently sent all e-mail for the entire domain instead of e-mail for one address.
Mistakes happen all the time. The appropriate thing to look for is whether the mistake was caught and corrected in a timely fashion. It seems that the mistake was caught and corrected in a timely fashion which basically makes this a story about an everyday occurrence.
This story might make a good one for some sysadmin journal reminding sysadmins to document policies that help ensure mistakes do not happen and if they do are caught by the company itself instead of by the FBI. For example, a simple procedure would be to check the appropriate logs after changing the configuration to make sure the configuration is doing what it was intended to do.
Whose Glitch? (Score:3, Insightful)
Whose "glitch"? What was the "apparent miscommunication, exactly? Did the FBI tell the ISP to give them the total access that the court hadn't authorized, or did the ISP make the mistake and give them total access when asked for only limited access? Maybe the FBI is citing that totally ambiguous blame, but what is the real story?
If the ISP screwed up, then it should get sued by the extra people whose mailboxes it turned over without authorization. If the FBI "screwed up", then it's just another example of why these courts cannot be secret if the government is to do its job protecting our rights - including protecting us from the government.
Re:Headline: Sysadmin fouls up filter (Score:4, Insightful)
I think the idea is if this happens once it could happen again without too much effort. There is no real oversight on how the FBI, NSA, DHS, or any other organization acquires information nor a transparent way to gather such data.
Now, I really don't see any malicious intent on the FBI with this since of the old adage "Never attribute to malice that which can be adequately explained by stupidity." but I get the sinking feeling that they would often find themselves in situation in which they are too lazy to follow procedure and due process like maybe a warrant.
Re:Headline: Sysadmin fouls up filter (Score:3, Insightful)
Funny. Obviously it's not routine at all so the chances of making a mistake are even greater. You don't need to file it in some secret folder though. It's no secret at all that when the government produces a valid warrant you need to comply with it or be held in contempt of court. And if I were the sysadmin, I'd be looking through the e-mail myself, not just sending it to the government. If the government is that interested in it then something very wrong is most likely to be going on and I'd like to know about it if it's happening on my network.
Where I used to work we occasionally set up our own eavesdropping of mails. For example, when a top-level employee who no one trusted was about to be fired we archived all of his mail and put in some hooks so the big boss's could read all of it. Upon reading the guy's comments like "Man, I soaked these suckers for so much cash making them think I could sell their services" it only reaffirmed the big boss's decision to fire the guy for nonperformance.
Also very good just in case he tried to come back with some bogus suit about being unjustly fired. E-mail is not a private means of communication, particularly corporate e-mail.
Re:Trust the FBI? (Score:4, Insightful)
The FBI will have no fear of any such consequence. Illegally overstepping their bounds and then saying "oops" is about all you'll hear about this ordeal. I'm sure some calls for investigation will be made and someone might have a dispassionate speech on C-SPAN and then it will all be swept under the rug. It might even pave the way for the FBI to request this type of access for the future if they can "prove" that it's in the interest of "national security".
Mistakes happen but only continue to happen... (Score:3, Insightful)
"But an intelligence official, who spoke on condition of anonymity because surveillance operations are classified, said: "It's inevitable that these things will happen. It's not weekly, but it's common."
This falls into the area of cheating in a manner that an excuse can be used to "get away with it". This sort of cheating had been labeled "Neo-cheating" and is a form of dishonesty that is easy to apply and safe from proof.. "Oh it was just an honest mistake." Technology should not be an escape goat for such obvious deceptions.
To give a simple example of a verification loop, when you sign up for a mailing list, messages boards, etc., in order to prevent spamming email accounts etc, there is a feedlack verification loop used. The point is, there are ways to prevent such spying "mistakes" from happening. And there should have already been such methods being applied as standard practice.
The "it's not weekly but its common" is nothing but evidence of intent to cheat and to continue it.
This "allowing deception" is similar electronic voting security failure vs. ATM financial security practices.
Computer technology is not an excuse, but a way for dishonest human intent to hide behind technology excuses.
Re:Unauthorized in today's world? (Score:4, Insightful)
Sounds fine on Slashdot, alt.politics groups, or black helicopter chat, but in reality you can't even try to go in with that position as a prosecutor. Even a conservative judge will hand you your ass.
Re:What I want to know (Score:5, Insightful)
Fixed that for you.
Check out the denial records of that court since the 70s. That should tell you just how detailed the FISA rubber stamp looks at those warrant petitions.
Re:Unauthorized in today's world? (Score:5, Insightful)
I think what the GP meant was that there would be some sort of quasi-official authorization. Along the lines of making all of the evidence classified beyond the judges level to ever see the it, or some kind of DHS gag order + infinite postponement of the trial. Simply a classified letter from an FBI big telling the prosecutor or judge not to pursue the matter any further might work just fine. The is a fair amount of risk in challenging it, a risk many people would not like to take. I'm sure there are ways for the security portions of the government to be technically "cooperating" but never actually have to really answer to a judge. There are parallels to this kind of behavior where the politically powerful simply refuse to comply with the law and seem to be getting away with it. [democrats.com]
Whose e-mails? (Score:2, Insightful)
(TFAS is ambiguous, and TFA is behind a login screen.)
Thanks,
- RG>
Re:Trust the FBI? (Score:3, Insightful)
Re:Whose Glitch? (Score:3, Insightful)
Re:Trust the FBI? (Score:3, Insightful)
So, the users whose mail was wrongfully given to the FBI could sue the ISP, then. Oh wait, the FBI isn't going to tell them about it. It's not going to tell anyone what the domain is, or who the ISP is, either. State secret.
I wonder how long before ... (Score:2, Insightful)
Re:Trust the FBI? (Score:2, Insightful)
So, the users whose mail was wrongfully given to the FBI could sue the ISP, then. Oh wait, the FBI isn't going to tell them about it. It's not going to tell anyone what the domain is, or who the ISP is, either. State secret.
That might tip off the person whose e-mail they were reading.
Re:Trust the FBI? (Score:2, Insightful)
I know of at least one...
Re:FISA court: whatcouldpossiblygowrong (Score:3, Insightful)
A cheap Linux box running Sendmail and an installation of OpenSSL to let Sendmail be able to run SMTPS.
On top of that use a POP3/IMAP server that can do POP3S/IMAPS and you can access your mail without the risk of an accidental peek.
Re:The lesson (Score:1, Insightful)
Re:Whose Glitch? (Score:1, Insightful)