DOJ Requests More Power To Hack Remote Computers

An anonymous reader writes "The U.S. Department of Justice says it needs greater authority to hack remote computers in the course of an investigation. The agency reasons that criminal operations involving computers are become more complicated, and argues that its own capabilities need to scale up to match them. An ACLU attorney said, 'By expanding federal law enforcement's power to secretly exploit "zero-day"' vulnerabilities in software and Internet platforms, the proposal threatens to weaken Internet security for all of us.' This is particularly relevant in the wake of Heartbleed — it's been unclear whether the U.S. government knew about it before everyone else did. This request suggests that the DOJ, at least, did not abuse it — but it sure looks like they would've wanted to. You can read their request starting on page 499 of this committee meeting schedule."

Re:

[Kohath]

Al Gore? Is that you?

Re:

[Anonymous Coward]

Gore-gasm!

ROFLMAO Sorry I simply couldn't contain myself. Ah, that didn't come out the way I expected it to sound. Damn why is explaining my reaction to your comment so hard? Egad! Cadbury!

Re:

[MaskedSlacker]

Oh good, so he'd have been the same as Obama.

Re:

[MaskedSlacker]

...and Godwinned. Thread over, time to go home.

Re:

[bigfoottoo]

"And now I'd like to entertain everybody with some fancy pageant walkin' "

Do you really want to do that?

[Opportunist]

You might not want to use something like this, at least you do not want to use it against criminals who themselves have a background in IT and especially IT security. Else you might be in for a nasty surprise, namely that they're employing a tripwire system that waits for someone trying to hack them as an early warning system.

In other words, your attempt to hack the criminals doubles as a "the feds are coming" flare.

Re:

[sFurbo]

That depends very much on what level of crime we are talking about. I would imagine that most crime is at a level where the situation you suggested is not a problem.

Also, I would imagine that a sophicsticated crime syndicate is in at least as much risk of being hacked by rivals and vigilantes as by the government, so unless you are doing it in such a way that they can figure out who you are, such a tripwire might not help much. Of course, it is perfectly plausible that the feds would not employ much sophi

Re:Do you really want to do that?

[mlts]

If a criminal runs their books offline with no net connection, using a USB flash drive for physical transportation or moving encrypted data to an online PC, tripwire may not be needed.

It wouldn't take much to scare criminals into moving their unencrypted stuff offline, then the DOJ has hosed themselves since all the juicy stuff they wanted easier access to is now inaccessible unless physical attacks are used.

Re:

[nurb432]

I would be willing to bet the high-end criminals are all ready doing this.

Re:

[Anonymous Coward]

Even the clueless criminals, once they see the Feds are wanting to hack into their systems will start getting their friends who know what they are doing and updating things.

It isn't hard to run the second set of books on an offline computer with a F/OSS operating system, an office suite that doesn't need activation, and USB flash drives for moving data. With a VM server like KVM, VirtualBox, or VMWare workstation, any programs that need Windows can run on a hacked copy.

Network-wise, there are plenty of VPN

Re:Do you really want to do that?

[sumdumass]

Even the clueless criminals, once they see the Feds are wanting to hack into their systems will start getting their friends who know what they are doing and updating things.

I don't necessarily disagree with what you are saying but you cannot really advertise a job to secure a criminal enterprise. What you are left with is either relying on only those you already know which might not be very cutting edge or seeking someone specific out and hoping they don't turn rat on you.

In the former, I will just say that I don't know how many screwed up systems and wide open home networks I have seen installed by someone's rocket scientist kid, nephew, neighbor, work IT, church buddy, or whatever that had more WTF things going on than anything correct. Even following people sporting walls full of certifications and bragging about how good they are because of them sometimes turn out to be almost worthless for even simple tasks when following them into a small business. Those are usually the most dangerous- screwed up too. I usually find them running unpatched windows 200x servers directly open to the internet and half the ports opened up because they wanted remote access or something in the network needed it. They are often sporting more infections and malware than a porn surfing teens computer- because no one ever logs onto them to see the 5 million IE pop ups and error messages until something goes horribly bad and they just reboot thinking "I fixed it again".

I'm thinking most criminals that aren't just doing it because of opportunity will already be into something like what you describe. A lot of people claim to know what they are doing but fail in spectacular ways.

Re:

[rtb61]

The tripwire in this, is the use of it itself. "Reasonable Doubt" http://en.wikipedia.org/wiki/R... [wikipedia.org] being the legal tripwire. The DOJ hacks a computer with a zero day exploit proving beyond reasonable doubt that the computer in question could be hacked and substantiating reasonable doubt about the users guilt as another criminal organisation could have been secretly using the computer to commit crimes via that same zero day exploit. Now this doesn't even touch the idea that the very first and foremost acti

Illegal

[casca69]

Bluntly, if they would prosecute me for doing it, then they better damn well have a warrant and judicial oversight.
Otherwise, it's breaking the law, and prosecution ensues.

Re:Illegal

[Anonymous Coward]

You are aware that the DoJ is a branch of government, right?
When was the last time any branch was tried for doing something illegal?

Re:Illegal

[sumdumass]

What happens and should happen are separate things.

The concept of the king can do no wrong died a long time ago, got reborn and needs to be killed once again.

Let them have it

[fustakrakich]

Since they're doing it anyway (surely you're not going to believe their denials still, are you?), let it be public and provide incentive to build more resistant electronics.

Re:Let them have it = Holder has it!

[BoRegardless]

Since our Atty General Mr. Holder, says he can choose which laws to obey, then there are no laws, no rules, except what he chooses to do.

Re:

[Jane Q. Public]

Since our Atty General Mr. Holder, says he can choose which laws to obey, then there are no laws, no rules, except what he chooses to do.

Not to mention: if we had a totally secure, encrypted, spook-proof communications network (barring wiretapping warrants, of course), where would that put us as far as "national security" goes?

Oh, yeah. Back in the 1990s. Seems to me, things were actually better then, in this respect.

Re:

[fustakrakich]

...spook-proof communications network (barring wiretapping warrants, of course)...

Wait a minute. Are you saying there should be built in backdoors to accommodate them?

And the 90s? What leads you to believe it was better then, when the democrats were pushing for clipper chips, V-chips, and other restrictions on encryption? I say we have it much better now, now that we have confirmed the government is running outlaw spy agencies, and that might provide the above mentioned incentives to actually do something

Re:

[mlts]

I'd say we have it better now, because crypto isn't "illegal" like it was when ITAR was the law of the land. However, because online connections are required, coupled with layers of complexity added to even the humble desktop, the crypto may be good, but the key is still stored under the doormat for anyone to fetch.

Re:

[sillybilly]

I try not to use crypto, but I can see a future, such as an invasion of this land, or total banning of knowledge from the hands of anyone and full intellectual property dictatorship, where you have to pay 2 cents for every word uttered etc, where it would be necessary to use encryption, together with burying your computer/disks in the backyard, and only digging it out once in a while for updates, or to get some really important knowledge off of them that you forgot, and even then encryption may not be such

Re:

[Jane Q. Public]

And the 90s? What leads you to believe it was better then, when the democrats were pushing for clipper chips, V-chips, and other restrictions on encryption?

Here's what was better: people were smart enough in the 90s to not let them do it.

Also, even the government had to get a warrant to tap a phone and call it anything remotely like "legal".

Yeah, they did pass ITAR regulation, which was really dumb, and very bad, but that only applied to exports. It didn't have anything at all to do with our internal communications. With FISA, in effect they're doing something kind of resembling ITAR on crypto but far worse, turning it on their own people.

Re:

[fustakrakich]

...people were smart enough in the 90s to not let them do it.

They weren't smart enough to vote the bums out, and now we have what we have because of it. And just because they "didn't let them do it", it doesn't mean they didn't do it anyway. The spy agencies were just as corrupt then as they are now. The only difference between then and now is that it can be done in broad daylight because... terrorism. The submissive population has been fairly constant.

Re:

[Jane Q. Public]

They weren't smart enough to vote the bums out, and now we have what we have because of it. And just because they "didn't let them do it", it doesn't mean they didn't do it anyway.

No, they didn't do it anyway. This discussion was about V-chips and Clipper Chips. The Clipper Chip, for example, was a chip that was supposed to be put in every phone in America -- by law -- supposedly to "encrypt" your conversation and make it "more secure".

Nobody who knew anything about it in those days thought it was a good idea. And they said so.

But people post 9-11 got all scared and let the government pass all kinds of shitty laws, in spite of warnings from the people who knew better. And we ar

Re:

[fustakrakich]

No, they didn't do it anyway.

Yes, they did. They just gave it a different name, and didn't discuss it publicly. The unwritten "agreement" is that strong encryption will not be available to the public. And people were no smarter then either. They still overwhelmingly voted for republicans and democrats, who were just as crooked then as now. So the trust issue is moot. The only difference is that they had to act more covertly until they got their "Pearl Harbor". I can assure you nothing has changed aside from

Re:

[fustakrakich]

We've been living with that since John Mitchell was AG, and most likely long before that even. SNAFU

Re:

[ArcadeMan]

You're absolutely right.

I'm going to replace all my 1/4 watt resistors with 1/2 watt resistors.

Re:

[ArcadeMan]

Since they're doing it anyway (surely you're not going to believe their denials still, are you?), let it be public and provide incentive to build more resistant electronics.

Resistance is futile.

Argh!

[Anonymous Coward]

I'm so tired of this BULLSHIT. We have such a corrupt, sleazy, crappy government. Department of "Justice". What a fucking joke.

Re:

[Anonymous Coward]

No, the problem is that the Patriot Act (a limited state of emergency) is still in effect. You just have to get that repealed and then lots of the overreach will stop.

Re:

[sumdumass]

You spelled that wrong. It is not "Justice", it is "Just Us". I know it is pronounced like Justice but if you look at it, it really is the "Just Us" system.

What does it mean?

[Anonymous Coward]

By now "hacking" means "any vaguely possibly bad thing with a computer in the vicinity".

So "law enforcement" wants "more power" to do ill-defined vaguely bad things. They already do that aplenty, I say.

Remove computers can be anywhere ...

[Alain Williams]

including other countries; I did not notice anything in the article restricting this to computers in the USA. Other countries might not agree with the USA DOJ allowing computers in their countries to be cracked -- thus the USA cops/investigators will be conducting criminal acts in other countries -- how does that make them different from what the USA wanted to grab Gary McKinnon [wikipedia.org] for ?

Re:

[AmiMoJo]

If the US DOJ attacked my computers I would absolutely retaliate. Hack then back, delete everything, take the whole network down and cripple them as badly as possible to neutralize that threat. Then report the incident to the police and file a civil suite for damages. Try to get them extradited to the UK to stand trial.

The US has said hacking is an act of war. A few cruise missiles aimed at DOJ headquarters seems like a reasonable, proportionate response. Maybe some drone strikes against high ranking DOJ st

Clear as day

[Charliemopps]

So let me get this strait. The DOJ's argument is: "If we leave the door locked, how are we supposed to catch burglars?"

No!

[Hamsterdan]

If you (or myself) do the same thing, it's illegal, and we're gonna be prosecuted. The law is the same for everyone (at least it should be). I'm sick & tired of that shit. Police installing cameras (without warrant) to spy on people, inside their homes, warrantless wiretapping and every other thing that is *ILLEGAL* for the common people.

If it's illegal for me to do it, it's illegal for them to do it. And yes, I hope it blows up in their faces.

Re:

[wonkey_monkey]

If it's illegal for me to do it, it's illegal for them to do it.

Yeah... no. When has it ever worked like that?

You know the NSA is one thing

[koan]

The DOJ has shown its self to be incompetent.

http://www.forbes.com/sites/ri... [forbes.com]
http://gov.louisiana.gov/index... [louisiana.gov]
https://www.techdirt.com/artic... [techdirt.com]

As long as we can sue them too...

[Hamsterdan]

So whenever I see government IPs in my router logs, I can sue, right? I mean, If they see my IP in theirs I'm breaking the law, right?

Re:

[king neckbeard]

Sue them? Of course not. We should be able to bring severe criminal charges against them. Twenty year minimum for anyone complicit in such activities. The watchers have to be kept on a very tight leash.

No prior knowledge needed

[MtHuurne]

Yesterday there was a headline saying 300,000 servers remain vulnerable to Heartbleed. So the bug is still (ab)usable even after it has been published.

Put Evidence In

[BrendaEM]

Anyone will be found guilty whenever we see fit.

Turnabout

[Geek Hillbilly]

Well,I can always set up a very nasty supervirus surprise if my machines are touched.Try to access my machines like that,I reserve the right to respond in kind.

Re:

[sumdumass]

The funny part is that they will claim you created and released the virus in order to justify their shenanigans in the first place. It's like being arrested for resisting arrest before you were ever under arrest. And yes, that has happened where people get busted for resisting arrest and there was never any underlying reason for the arrest before being arrested for resisting arrest.

Re:

[sillybilly]

That's why you never resist an arrest. Cops will often go on fishing expeditions, to see if you have anything to hide, or a reason to run and evade them. Just routine type checks. Such as going through a yellow light, that's turning red too soon. It's not really a big deal, but it's enough for the cop to stop you, and if you attempt to flee, then he will chase you down for not stopping, but if you stop, he'll let you go, over something that even he thinks is minor. Then when he chases you down and you resis

Re:

[sumdumass]

There are a few instances I know of where someone was arrested for resisting arrest before an arrest ever happened.

The one that is the most egregious is where a guy started videoing a cop who stopped someone near him. He pulled out a camera and started taking video of the entire thing. The cop let the other person go after a few minutes then came over and ordered him to give his camera to him. He replied with "why" and the cop tackled him, handcuffed him and arrested him for resisting arrest. I'm not sure i

Secure computing is still legal?

[flyingfsck]

Pretty soon, it will be illegal to run a secure operating system such as OpenBSD.

Banksters

[inode_buddha]

Maybe they should request the power to put a few bankers in jail, like they did in Enron. You know, and actually *do their job*

Follow the money ..

[lippydude]

"The U.S. Department of Justice says it needs greater authority to hack remote computers in the course of an investigation"

I would have thought it would be easier to follow the money trail ..

If we didnt know about heartbleed

[nurb432]

Then the NSA was sleeping at the wheel.

DOJ wants the right to falsify and taint evidence?

[Kirth]

"hacking computers", or "placing trojans" and other such things primarily do one thing: They make evidence useless. Because you can't prove anymore that you did not plant it, that you didn't change anything and that you did not open a backdoor for a third party.

How stupid can you get? And why haven't the forensic specialists of the DOJ told them what their request really would mean?

I've got some other great ideas in the same vein:
- Drop cleanliness regulations for DNA testing labs
- Don't require physical ev

NSA vs DOJ

[WindBourne]

I have indirectly worked on the US PAT act (back in mid-2000), and supported the work that we did. However, while I had issues (it was the neo-cons that psuhed for NSA to go un-monitored, so that they would not have to take responsibilities; spineless trash), I had no issue with it being the NSA. They have NO ENFORCEMENT capabilities. They had no branch that allowed them to enforce any laws. I am sorry, but as such, the NSA was NOT breaking the constitution since they could only pass on the information.

N