Police Linked To Hacking Campaign To Frame Indian Activists (wired.com) 61
Police forces around the world have increasingly used hacking tools to identify and track protesters, expose political dissidents' secrets, and turn activists' computers and phones into inescapable eavesdropping bugs. Now, new clues in a case in India connect law enforcement to a hacking campaign that used those tools to go an appalling step further: planting false incriminating files on targets' computers that the same police then used as grounds to arrest and jail them. Wired: More than a year ago, forensic analysts revealed that unidentified hackers fabricated evidence on the computers of at least two activists arrested in Pune, India, in 2018, both of whom have languished in jail and, along with 13 others, face terrorism charges. Researchers at security firm SentinelOne and nonprofits Citizen Lab and Amnesty International have since linked that evidence fabrication to a broader hacking operation that targeted hundreds of individuals over nearly a decade, using phishing emails to infect targeted computers with spyware, as well as smartphone hacking tools sold by the Israeli hacking contractor NSO Group. But only now have SentinelOne's researchers revealed ties between the hackers and a government entity: none other than the very same Indian police agency in the city of Pune that arrested multiple activists based on the fabricated evidence.
"There's a provable connection between the individuals who arrested these folks and the individuals who planted the evidence," says Juan Andres Guerrero-Saade, a security researcher at SentinelOne who, along with fellow researcher Tom Hegel, will present findings at the Black Hat security conference in August. "This is beyond ethically compromised. It is beyond callous. So we're trying to put as much data forward as we can in the hopes of helping these victims." SentinelOne's new findings that link the Pune City Police to the long-running hacking campaign, which the company has called Modified Elephant, center on two particular targets of the campaign: Rona Wilson and Varvara Rao. Both men are activists and human rights defenders who were jailed in 2018 as part of a group called the Bhima Koregaon 16, named for the village where violence between Hindus and Dalits -- the group once known as "untouchables" -- broke out earlier that year. (One of those 16 defendants, 84-year-old Jesuit priest Stan Swamy, died in jail last year after contracting Covid-19. Rao, who is 81 years old and in poor health, has been released on medical bail, which expires next month. Of the other 14, only one has been granted bail.)
"There's a provable connection between the individuals who arrested these folks and the individuals who planted the evidence," says Juan Andres Guerrero-Saade, a security researcher at SentinelOne who, along with fellow researcher Tom Hegel, will present findings at the Black Hat security conference in August. "This is beyond ethically compromised. It is beyond callous. So we're trying to put as much data forward as we can in the hopes of helping these victims." SentinelOne's new findings that link the Pune City Police to the long-running hacking campaign, which the company has called Modified Elephant, center on two particular targets of the campaign: Rona Wilson and Varvara Rao. Both men are activists and human rights defenders who were jailed in 2018 as part of a group called the Bhima Koregaon 16, named for the village where violence between Hindus and Dalits -- the group once known as "untouchables" -- broke out earlier that year. (One of those 16 defendants, 84-year-old Jesuit priest Stan Swamy, died in jail last year after contracting Covid-19. Rao, who is 81 years old and in poor health, has been released on medical bail, which expires next month. Of the other 14, only one has been granted bail.)
bye soviet russia? (Score:3, Insightful)
in fascist india...
Re:bye soviet russia? (Score:4, Funny)
in fascist india...
The needful does YOU!
Re: (Score:2, Informative)
Never had an Indian boss, eh? Some of the first-gen Indians (Their Americanized or UKized children are much better and nicer to work with.) that came over to the west from the upper castes still have that Brahmin stick up their ass wrt/ their own supposed superiority over everyone else and the "proper" way to treat their "lessers." One aspect of that is the occasional directive to: "do the needful." What "do the needful" means is something akin to: "I am so far above you, so superior to you in every way,
Re: wtfing (Score:2)
Re: (Score:3)
Seen that kind of thing many times, but maybe not quite so stark. They grew up privileged and entitled in India, high caste. Smart people no doubt, learned English and got an expensive education. Come to the USA land-of-opportunity and the primary goal is to become a manager, in keeping with one's station in life.
From that point on there is constant resentment amongst the employees at the way this little ninny treats everyone, and he/she is hated.
Re: (Score:2)
All countries have some bad cops.
Par for the course. (Score:3, Insightful)
Sounds about right for cop behavior.
Re:Par for the course. (Score:5, Insightful)
None of whom will face jail time for the crime of fabricating evidence even if this is proven beyond reasonable doubt. Those (politicians) who set them up to do this should also be put in jail - likewise it will never happen.
Re: (Score:2, Insightful)
in fascist india, evidence fabricates crime.
Re:Par for the course. (Score:5, Insightful)
It may be the world's largest democracy, but it's highly corrupt from top to bottom and the rule of law is flimsy at best. And that was in the good days, before they got their dictator in charge. And maybe "dictator" is not an exaggeration either; party bosses in a state have immense power to rule by decree. One party boss declared that some houses belonging to a few muslims should be torn down and the next day the police did it; no judicial oversight, no legislative actions, nor checks or balances, a crime wasn't even fabricated, just the wish of the state's party leader. Why? Because muslims were protesting against a repulsive insult by a different BJP celebrity.
That is clearly a broken democracy.
Re: (Score:2)
Since the war on terror, government agents planting files on a computer is not a crime in many countries. Also, India has a loose tribal culture that is still corrupt, so the 'haves' will not hold themselves accountable to the people. It's another democracy where the people don't have the power to change the government.
Re: (Score:2)
Indeed. The police needs to be tightly controlled and carefully monitored. The profession notoriously attracts the wrong people.
As the prophecy foretold (Score:3)
Re:As the prophecy foretold (Score:5, Insightful)
And thus all evidence gathered through hacking becomes tainted, which the prophecy foretold as well.
Fruit of the poisonous tree.
As an aside, this is why Cellebrite and other companies like it that enable hacking by law enforcement should be treated in the same way as any other group that tries to hack people's devices, i.e. their staff should go to jail, and the company's assets should be seized.
Re:As the prophecy foretold (Score:5, Insightful)
And thus all evidence gathered through hacking becomes tainted, which the prophecy foretold as well.
Fruit of the poisonous tree.
As an aside, this is why Cellebrite and other companies like it that enable hacking by law enforcement should be treated in the same way as any other group that tries to hack people's devices, i.e. their staff should go to jail, and the company's assets should be seized.
Sure. And while we're punishing all the bad guys with guns, let's take all the guns away from the good guys too.
Yes, this is exactly your logic. You literally want to make all of hacking, a crime. A few million white hat hackers, would have a problem with your fucking assumption of guilt, just like 100 million sane gun owners.
No, not at all. This is not white hat hacking. White hat hacking is hacking a device that you own, or with the permission of the owner, to discover vulnerabilities and report them to the manufacturer and/or owner to make everyone safer.
What these companies do is hack devices that they own to weaponize the hacks against their victims, then sell those weaponized hacking tools. The only difference between them and black-hat hackers is that they are somewhat selective about who they sell their hacks to, and at least ostensibly try to sell them only to law enforcement. But they still are selling a tool whose primary purpose is to break into something that you don't own.
This is not like guns at all. Guns have uses that do not cause harm to any other person. They can be used for hunting. They can be used as a deterrent. Hacking tools have only one purpose: to crack into someone else's cell phone to steal or plant information. They cannot be a deterrent, because their use is largely done in secret, so there's no reasonable expectation ahead of time that someone will use it on you. There are no uses that do not cause clear harm to the victim; there are no uses that aren't fundamental violations of someone's right to privacy.
Now one might argue that if they legitimately find something that prevents some future crime that is worse than the harm, then the harm to the victim is justified. And that's certainly a plausible argument, but only if that future crime could not have been prevented in some other way, which is usually not the case.
But the flip side is that they are creating tools that, in the wrong hands, can cause irreparable harm. Worse, once the tool has been created, there's really no way to keep it out of the wrong hands, and that doesn't require physical transfer, so it's less like a handgun and more like developing the first nuclear bomb. There was no way, once that knowledge came into existence, to prevent bad actors from getting their hands on it and building nuclear bombs themselves.
In a similar way, every time these companies add a new exploit to their toolkit without reporting it to the manufacturer, they're making it more likely to be discovered by malicious agents obtaining their hacking hardware through legal or extralegal means, at which point it can be immediately made available to countless others as a zero-day. This exploit discovery can happen much more quickly and easily than it would if those malicious agents had to discover the flaws in the devices themselves.
From a privacy, security, and safety perspective, these companies represent a clear net harm to society. And that's before you factor in the use of their technology by authoritarian regimes — likely to quash dissent.
Re: (Score:2)
then sell those weaponized hacking tools.
As opposed to white hat hackers that develop the same tool for legitimate use?
I would argue that there are no legitimate uses of tools designed to compromise someone else's device. At best, there are quasi-legitimate uses that are legal, but ethically dubious because of their tendency to turn into widespread fishing expeditions.
Do you even have a definition of "security research" or do you just assume "bad hacker" every time?
Legitimate security research is analyzing systems for the purposes of improving the security of those systems. Analyzing systems for the purposes of selling tools to break into those systems is NOT legitimate security research. Motive matters.
Cellebrite is not some shady illegal enterprise operating out of North Korea. It's a legal business operating in a dozen countries, including the US. If you have such a problem with them, then perhaps vote better.
I'm well aware
Re: (Score:2)
You and I clearly have a very different definition of the word "ethical". An ethical hacker analyzes the security of a system to make the system better. Someone who analyzes the security of a system to make money selling tools to break into that system is NOT an ethical hacker, whether they're selling the tool exclusively to law enforcement or more broadly.
So, the Certified Ethical Hacker well-trained and versed in both Blue Team and Red Team tactics, working for your local law enforcement to determine of the man who raped your child, can be technically associated with their crime of guilt, is NOT an ethical hacker?
Your trust in law enforcement agencies is clearly broken. Not just a little, but completely, since it's the only reason you assume every "hacker" on the planet, is a grey-hat at best. And your logic, is basically throwing the baby out with the ba
Re: (Score:2)
So, the Certified Ethical Hacker well-trained and versed in both Blue Team and Red Team tactics, working for your local law enforcement to determine of the man who raped your child, can be technically associated with their crime of guilt, is NOT an ethical hacker?
Nope. He should also lose that certification. Ethical hacking means hacking only with explicite permission from the owner of the system to be hacked, no exceptions.
What you argue for is basically that the police be allowed to secretly search homes. That will not and cannot go well.
That you put in "who raped your child" already clearly shows you are arguing in bad faith by trying an appeal to emotion and not to reason.
Re: (Score:2)
What you argue for is basically that the police be allowed to secretly search homes. That will not and cannot go well.
Wrong. I'm arguing for the concept of an Ethical Hacker to be free to seek employment and exist where ethics have also been defined in a legal framework. You are essentially claiming that no hacker could ever work for a law enforcement agency performing a legal search as authorized via warrant, because it might be clandestine.
Warrants in the physical world are usually performed suddenly to avoid destruction of evidence. Yes, some clandestine when necessary, which requires you (in America) to vote better
Re:As the prophecy foretold (Score:4, Insightful)
You and I clearly have a very different definition of the word "ethical". An ethical hacker analyzes the security of a system to make the system better. Someone who analyzes the security of a system to make money selling tools to break into that system is NOT an ethical hacker, whether they're selling the tool exclusively to law enforcement or more broadly.
So, the Certified Ethical Hacker well-trained and versed in both Blue Team and Red Team tactics, working for your local law enforcement to determine of the man who raped your child, can be technically associated with their crime of guilt, is NOT an ethical hacker?
Wow. That's the most ridiculous argument I've ever heard. Child rape almost invariably involves someone the child knows and can identify. When it doesn't, they pretty much never find the kid, and there's almost zero chance that they're going to get evidence and find out who did it by hacking some random person's phone, realistically.
Moreover, in any even remotely civilized country, that sort of search requires a warrant, which means they already have probable cause to suspect a particular person, and that person's phone is unlikely to be the only evidence. And because the parents own their child's device and have the right to compel access to it, no hacking should be needed on that side, assuming the device can even be located (and remember that finding the phone likely means that they have already found who took the kid, so hacking the kid's device almost certainly isn't necessary anyway).
So basically the odds of hacking a phone helping you find the person who raped a child are about as good as the chances of winning the lottery. And that's exactly the sort of fishing expedition that is such a heinous violation of civil rights, and should not be tolerated in any civilized country. You should be ashamed of yourself for even suggesting it.
Yes, my trust in law enforcement agencies is pretty close to zero, frankly. I've seen far too many people released after decades because evidence that exonerated them was deliberately suppressed by law enforcement to get a conviction. I've seen far too many abusive law enforcement officers go to jail after getting caught using police resources like cell phone hacking tools to stalk their ex-girlfriends. I've seen far too many innocent victims killed by no-knock warrants gone wrong. Want to prove me wrong? Fix that shit. Let's go a hundred years without any of those sorts of abuses happening, and then maybe we'll trust law enforcement again. But as long as there's a new story about flat-out murder of innocent victims by law enforcement operating under color of law every few weeks, no sane person should think to themselves, "let's give them even more power to spy on us."
You're right of course. But you're missing two very important factors. First, if even the best of agencies has access to the tools, it's only a matter of time before someone in those agencies abuses them, because no agency is without bad people in it. And second, it doesn't matter if good agencies are using the tool only for good if a lot of bad agencies are also using them for monstrous evil, or if people in those agencies are loaning out the devices to people who analyze how they work and selling the information to the highest bidder. Just as with crypto backdoors, the only way to guarantee that these tools are not abused is for the tools to not
Re: (Score:2)
Your trust in law enforcement agencies is clearly broken. Not just a little, but completely, since it's the only reason you assume every "hacker" on the planet, is a grey-hat at best.
Yes, my trust in law enforcement agencies is pretty close to zero, frankly. I've seen far too many people released after decades because evidence that exonerated them was deliberately suppressed by law enforcement to get a conviction. I've seen far too many abusive law enforcement officers go to jail after getting caught using police resources like cell phone hacking tools to stalk their ex-girlfriends. I've seen far too many innocent victims killed by no-knock warrants gone wrong. Want to prove me wrong? Fix that shit.
Humans gonna human. More on that later. I stated earlier how to fix this shit. Vote Better. At least you were honest about law enforcement trust. Thank you. Explains a lot on your stance here. Still doesn't automatically mean every trained Hacker working in government or law enforcement, is "sus" at best.
I believe that these tools in the hands of authoritarian regimes do far more harm than any good that local police departments can possibly do with them. And they definitely are or at least were ending up in the hands of authoritarian regimes.
The threat before, was that these tools will "eventually get out" or someone will "eventually go bad". Now the threat, is an "authoritarian regime". The latter, requires citizens to vote better.
Re: (Score:2)
Your trust in law enforcement agencies is clearly broken. Not just a little, but completely, since it's the only reason you assume every "hacker" on the planet, is a grey-hat at best.
Yes, my trust in law enforcement agencies is pretty close to zero, frankly. I've seen far too many people released after decades because evidence that exonerated them was deliberately suppressed by law enforcement to get a conviction. I've seen far too many abusive law enforcement officers go to jail after getting caught using police resources like cell phone hacking tools to stalk their ex-girlfriends. I've seen far too many innocent victims killed by no-knock warrants gone wrong. Want to prove me wrong? Fix that shit.
Humans gonna human. More on that later. I stated earlier how to fix this shit. Vote Better. At least you were honest about law enforcement trust. Thank you. Explains a lot on your stance here. Still doesn't automatically mean every trained Hacker working in government or law enforcement, is "sus" at best.
To be fair, I was talking about companies that build hacking tools and sell them to law enforcement, not "every hacker in government or law enforcement". I have a lot more respect for the folks who work for the NSA than for companies like this. At least the NSA's effort isn't aiding repressive governments.
I believe that these tools in the hands of authoritarian regimes do far more harm than any good that local police departments can possibly do with them. And they definitely are or at least were ending up in the hands of authoritarian regimes.
The threat before, was that these tools will "eventually get out" or someone will "eventually go bad". Now the threat, is an "authoritarian regime". The latter, requires citizens to vote better.
How can my voting in the U.S. prevent largely non-U.S. companies from selling their tools to non-free countries? I'm not talking about the U.S. when I say "authoritarian regime" here. I'm talking about
Re: (Score:2)
So, the Certified Ethical Hacker well-trained and versed in both Blue Team and Red Team tactics, working for your local law enforcement to determine of the man who raped your child, can be technically associated with their crime of guilt, is NOT an ethical hacker?
The problem is that these companies don't only work for local law enforcement but basically for anyone who can cough up the dough.
It is for instance known that NSO group sold their software to tyrant governments and shady individuals and that the software is actively used for purely political motivated operations. NSO are a bunch of egoistical assholes that don't give a shit about your raped children.
For every raped child you bring up there are hundreds, maybe thousands of innocent citizens locked up, depor
Re: (Score:2)
Re: (Score:2)
hacking by law enforcement should be treated in the same way as any other group that tries to hack people's devices, i.e. their staff should go to jail, and the company's assets should be seized.
I am all for that. Sure, you can search a computer _openly_ and with an order signed from a judge, but that is it. Yes, that puts some limits on what law enforcement can do, but not having these limits directly leads to a police state and that is far, far worse.
Re: (Score:3, Insightful)
You are making an assumption about Indian law based upon Western legal traditions. Tainted evidence may not be avoided to the degree that it is here. We hold Blackstone's Ratio in high regard. But to the Indians, that originated with a colonizing culture that they may very well reject. And following their independence, they allied rather comfortably with socialist regimes.
Re: (Score:2)
Re: (Score:2)
India is very conservative.
Re: (Score:2)
So you can't use the "evidence" in court.
Only problem is to getting to court to proof that. Last I heard in India, it's not unusual for cases to take years before it gets before a judge.
I think there were even instances where the person has been waiting in jail longer then the max sentence for whatever crime would have given them.
NSO (Score:1)
Get fucked, Shalev Hulio.
I truly wonder (Score:5, Insightful)
Re: (Score:2)
FBI = US GESTAPO.
Re: (Score:2)
How many times this has happened in the U.S. ...
Rule of thumb: Some (many) of them are ALWAYS doing it.
It only seems like "they used to do it back in the bad old days, but they're clean(er) now" because it's done in secret, so it takes a while - like decades - for news of each new operation to leak out into public consciousness - during which time the operation grows, spreads, and becomes more effective and broadly applied.
The institution is an economy with negative values prominent in the reward strucure,
Re: (Score:3)
It's simple enough to do that the average cop could easily plant evidence on a computer. The "experts" employed to do a forensic analysis are not going to be questioning what they find too closely, and in the UK there is very little chance of getting your own expert to examine the data independently.
It's not just computer data either, it affects all evidence gathered by the police. People have spent years in jail because a police fingerprint "expert" claimed that there was a match, only for them to be relea
The US does not plant computer evidence (Score:2)
Watergate et. al. were spying issues. Quite different from actively planting terrorist data on people that irritate them.
US cops never do that. They plant drugs instead. Much easier and less likely to be found out. Or possibly child porn. Not terror.
Jim Crow overfed with curry and rice (Score:1)
They tried something similar (Score:5, Informative)
Re: (Score:2)
And yeah, defund the police was a dumb slogan. We have a right wing bias in media, so they picked up the worst slogan they could find and ran with it to make the protestors look bad. You fell for it. They made a fool out of you. Are you angry? You should be. They played you like a fiddle. Don't get mad, get even. Stop listening to pro-corporate, right wing media like Fox News, CNN and MSNBC (yes even them). Search for alternative, pro-working American, pro-Union media. Start with B
Police have planting evidence for ever ... (Score:3)
What is different with computers and hacking is, there is now evidence of planting the evidence! When cop puts a bag of crack in your car, there is no easy way to prove it was planted. But, in the case of computers the police can, and do, get caught red handed!
Re: (Score:2)
If you get a chance, there was an amazing mini-series on HBO recently called "We own this city" from David Simon (The same guy who did The Wire, so you know its gonna be good). This time however unlike the Wire its a true story about the Gun Trace Task Force that basically turned Baltimores lower class into a cash pinata , framing people, extorting people, stealing unbelievable amounts of money from both criminals and regular civilians, and just being the most corrupt motherfuckers imaginable, until their o
Because it's a carreer / life limiting move. (Score:2)
I'm sure theres plenty of good cops, but you still have to ask if all these good cops are really good cops, why dont they arrest their crooked collegues?
Because making law-enforcement moves against another cop causes all the other cops to stop trusting the cop who does it - which leads to all sorts of career-limiting, and even life-risking, side effects. So they generally look the other way.
The US constitutional approach to answering the "who will watch the watchmen?" question is to let the accused go free
Re: (Score:2)
You may be interested in this ProPublica story [propublica.org] on how one of the actors in that show was shot (but survived) by a friend in front of another friend's house and it was a near thing that they were able to convict the assailant because nobody in Baltimore trusts the cops.
fight the future (Score:4, Insightful)
Unfortunately a bodycam will not catch police doing shit like this.
It is _extremely_ worrying. This is a great way to target purely political opponents and convict them of "real" crimes.
at the start of authoritarianism it might be a little troublesome to convict people of not showing enough love to the dear leader, but easy to convict them of having kiddy porn both in law court and the court of public opinion.
Be afraid, be very afraid.
EZ Dictator 101 (Score:3)
The modern panopticon is a dictator's sweetest dream.
Previously, you used police powers to invade the house, body, papers of political opponents to hurt them. This was the driving force behind the creation of things like the 4th and 5th Amendments. To stop Tyrant Kings from using government's power of investigation against political opponents.
But now that everything is online, you are your online presence, and it's trivial to scour all your papers.
And it that isn't enough, fuck with them.
Many a virtual marijuana baggie, easy to toss down on a virtual floor.
Re: (Score:2)
Previously, you used police powers to invade the house, body, papers of political opponents to hurt them. This was the driving force behind the creation of things like the 4th and 5th Amendments.
Also the 3rd amendment. The troops that the Brits made their occupied people house and feed weren't just an annoying expense. They also doubled as spies - listening in on conversations, reading papers when nobody was looking, reporting to their officers on anything they found.
Modern spyware, keyloggers, and the li
Doublespeak, nice! (Score:2)
It is not Hindus vs Dalits. It is Government vs Dalit Activists both of whom contain Hindus and Christians.
It'll get worse (Score:2)
Mark Twain (Score:2)
"Politicians and diapers must be changed often, and for the same reason"--Mark Twain (b. 1835)