FBI Accidentally Received Unauthorized E-Mail Access

AmishElvis writes "The New York Times reports that 'glitch' gave the F.B.I. access to the e-mail messages from an entire computer network. A hundred or more accounts may have been accessed, rather than 'the lone e-mail address' that was approved by a secret intelligence court as part of a national security investigation. The episode was disclosed as part of a new batch of internal documents that the F.B.I. turned over to the Electronic Frontier Foundation, as part of a Freedom of Information Act lawsuit the group has brought."

Headline: Sysadmin fouls up filter

[Jimithing DMB]

Seriously. What's the story here? Some sysadmin who apparently didn't know what he was doing put the wrong thing in his e-mail server configuration and inadvertently sent all e-mail for the entire domain instead of e-mail for one address.

Mistakes happen all the time. The appropriate thing to look for is whether the mistake was caught and corrected in a timely fashion. It seems that the mistake was caught and corrected in a timely fashion which basically makes this a story about an everyday occurrence.

This story might make a good one for some sysadmin journal reminding sysadmins to document policies that help ensure mistakes do not happen and if they do are caught by the company itself instead of by the FBI. For example, a simple procedure would be to check the appropriate logs after changing the configuration to make sure the configuration is doing what it was intended to do.

Whose Glitch?

[Doc Ruby]

F.B.I. officials blamed an "apparent miscommunication" with the unnamed Internet provider, which mistakenly turned over all the e-mail from a small e-mail domain for which it served as host. The records were ultimately destroyed, officials said.

Whose "glitch"? What was the "apparent miscommunication, exactly? Did the FBI tell the ISP to give them the total access that the court hadn't authorized, or did the ISP make the mistake and give them total access when asked for only limited access? Maybe the FBI is citing that totally ambiguous blame, but what is the real story?

If the ISP screwed up, then it should get sued by the extra people whose mailboxes it turned over without authorization. If the FBI "screwed up", then it's just another example of why these courts cannot be secret if the government is to do its job protecting our rights - including protecting us from the government.

Re:Headline: Sysadmin fouls up filter

[vertinox]

Mistakes happen all the time. The appropriate thing to look for is whether the mistake was caught and corrected in a timely fashion. It seems that the mistake was caught and corrected in a timely fashion which basically makes this a story about an everyday occurrence.

I think the idea is if this happens once it could happen again without too much effort. There is no real oversight on how the FBI, NSA, DHS, or any other organization acquires information nor a transparent way to gather such data.

Now, I really don't see any malicious intent on the FBI with this since of the old adage "Never attribute to malice that which can be adequately explained by stupidity." but I get the sinking feeling that they would often find themselves in situation in which they are too lazy to follow procedure and due process like maybe a warrant.

Re:Headline: Sysadmin fouls up filter

[Jimithing DMB]

Funny. Obviously it's not routine at all so the chances of making a mistake are even greater. You don't need to file it in some secret folder though. It's no secret at all that when the government produces a valid warrant you need to comply with it or be held in contempt of court. And if I were the sysadmin, I'd be looking through the e-mail myself, not just sending it to the government. If the government is that interested in it then something very wrong is most likely to be going on and I'd like to know about it if it's happening on my network.

Where I used to work we occasionally set up our own eavesdropping of mails. For example, when a top-level employee who no one trusted was about to be fired we archived all of his mail and put in some hooks so the big boss's could read all of it. Upon reading the guy's comments like "Man, I soaked these suckers for so much cash making them think I could sell their services" it only reaffirmed the big boss's decision to fire the guy for nonperformance.

Also very good just in case he tried to come back with some bogus suit about being unjustly fired. E-mail is not a private means of communication, particularly corporate e-mail.

Re:Trust the FBI?

[LilGuy]

In my previous job I accidentally granted myself access as a domain administrator, not believing it would be so incredibly easy to do. That was grounds for firing, though they hung on to me, after I showed them I could also reset the passwords for anyone in the company using their in-house password utility.

The FBI will have no fear of any such consequence. Illegally overstepping their bounds and then saying "oops" is about all you'll hear about this ordeal. I'm sure some calls for investigation will be made and someone might have a dispassionate speech on C-SPAN and then it will all be swept under the rug. It might even pave the way for the FBI to request this type of access for the future if they can "prove" that it's in the interest of "national security".

Mistakes happen but only continue to happen...

[3seas]

... when you let it continue to happen.

"But an intelligence official, who spoke on condition of anonymity because surveillance operations are classified, said: "It's inevitable that these things will happen. It's not weekly, but it's common."

This falls into the area of cheating in a manner that an excuse can be used to "get away with it". This sort of cheating had been labeled "Neo-cheating" and is a form of dishonesty that is easy to apply and safe from proof.. "Oh it was just an honest mistake." Technology should not be an escape goat for such obvious deceptions.

To give a simple example of a verification loop, when you sign up for a mailing list, messages boards, etc., in order to prevent spamming email accounts etc, there is a feedlack verification loop used. The point is, there are ways to prevent such spying "mistakes" from happening. And there should have already been such methods being applied as standard practice.

The "it's not weekly but its common" is nothing but evidence of intent to cheat and to continue it.

This "allowing deception" is similar electronic voting security failure vs. ATM financial security practices.

Computer technology is not an excuse, but a way for dishonest human intent to hide behind technology excuses.

   

Re:Unauthorized in today's world?

[fishbowl]

"There have been so many executive orders, bending of laws, etc. that just about every form of government access to information is authorized by something."

Sounds fine on Slashdot, alt.politics groups, or black helicopter chat, but in reality you can't even try to go in with that position as a prosecutor. Even a conservative judge will hand you your ass.

Re:What I want to know

[achbed]

Such a "secret court" is a good thing, because it provides the appearance of judicial review for actions that would otherwise not be subject to judicial review at all.

Fixed that for you.

Check out the denial records of that court since the 70s. That should tell you just how detailed the FISA rubber stamp looks at those warrant petitions.

Re:Unauthorized in today's world?

[Original Replica]

just about every form of government access to information is authorized by something.

I think what the GP meant was that there would be some sort of quasi-official authorization. Along the lines of making all of the evidence classified beyond the judges level to ever see the it, or some kind of DHS gag order + infinite postponement of the trial. Simply a classified letter from an FBI big telling the prosecutor or judge not to pursue the matter any further might work just fine. The is a fair amount of risk in challenging it, a risk many people would not like to take. I'm sure there are ways for the security portions of the government to be technically "cooperating" but never actually have to really answer to a judge. There are parallels to this kind of behavior where the politically powerful simply refuse to comply with the law and seem to be getting away with it. [democrats.com]

Whose e-mails?

[RealGrouchy]

whose e-mail network was it that was revealed? Was it the NYT's network, or simply another one that they are reporting on?

(TFAS is ambiguous, and TFA is behind a login screen.)

Thanks,

- RG>

Re:Trust the FBI?

[techno-vampire]

I RTFA, and found their claim reasonable under the circumstances. There didn't seem to be any reason for them to be interested in anybody's email other than that one person's, so why go to the extra effort of reading it?

Re:Whose Glitch?

[techno-vampire]

Telling the ISP also what they'd do if they were telling the truth. And, "managing the story," as you call it, is just good public relations. You seem to have decided that no matter what happens, or what is uncovered, the FBI is at fault, and interpret everything from that POV. I, OTOH, see no reason, yet, to disbelieve them, but I'll look at any new evidence with more of an open mind than you appear to have on this subject.

Re:Trust the FBI?

[number11]

The ISP screwed the pooch and sent them all email sent to that domain. The FBI noticed that they were getting way too much email, found out what had happened and corrected it.

So, the users whose mail was wrongfully given to the FBI could sue the ISP, then. Oh wait, the FBI isn't going to tell them about it. It's not going to tell anyone what the domain is, or who the ISP is, either. State secret.

I wonder how long before ...

[saltydog56]

I wonder how long before the government will require some sort of security clearance or background check on telecommunications workers and sysadmins on the basis that setting up these taps and email filters makes them privy to at least some of the details of who is being watched and why. What if any steps is the government taking to insure that the lowly sysadmin does not give the target of the investigation a heads up saying that they are being watched?

Re:Trust the FBI?

[justinlee37]

So, the users whose mail was wrongfully given to the FBI could sue the ISP, then. Oh wait, the FBI isn't going to tell them about it. It's not going to tell anyone what the domain is, or who the ISP is, either. State secret.

That might tip off the person whose e-mail they were reading.

Re:Trust the FBI?

[FrkyD]

Is it so hard to believe that there might be liberals who don't like what Bill Clinton did, don't trust what his wife would do and still manage to find most everything the Bush administration has done to be seriously screwed?

I know of at least one...

Re:FISA court: whatcouldpossiblygowrong

[Z00L00K]

Which leads to the conclusion - run your own mailserver.

A cheap Linux box running Sendmail and an installation of OpenSSL to let Sendmail be able to run SMTPS.

On top of that use a POP3/IMAP server that can do POP3S/IMAPS and you can access your mail without the risk of an accidental peek.

Re:The lesson

[Anonymous Coward]

WTF are you talking about? They requested email to be forwarded to them from one specific account, and the ISP accidentally forwarded the email to them from all accounts on the domain. This isn't like the ISP gave them access to their server room and the FBI went rummaging through other servers and accounts.

Re:Whose Glitch?

[Anonymous Coward]

You have learned a valuable lesson in debating DocRuby. He cloaks his logical fallacies by accusing you of using them.