This is huge. Yesterday The Register published an article [1] mentioning that Qakbot was responsible for 30% of recorded intrusion attempts since the start of 2023.
"To disrupt the botnet, the FBI redirected Qakbot traffic to Bureau-controlled servers that instructed infected computers to download an uninstaller file. This uninstaller—created to remove the Qakbot malware—untethered infected computers from the botnet and prevented the installation of any additional malware. "
That's pretty sweet that they healed hundreds of thousands of computers
Having been around during the 90s Cryptowars (and related culture and counterculture) I do wonder if in a few years we’ll hear that NSA piggybacked some “fun” toys on this uninstaller.
Considering the (il)legality of what they did just by running the uninstaller without authority, and the obvious implications and attention this would have, I highly doubt they did any such thing in this particular instance.
I worked in federal law enforcement on these same kinds of cases. The approvals needed to authorize a plan like this are very heavily scrutinized. Any aside added in to leave a lasting effect directed toward monitored lawful activity would have blown this all up immediately.
The track record that U.S. government agencies have says otherwise. Was there any accountability at all for the Snowden revelations? I mean, aside from Snowden himself, anyway.
"The FBI Supernode Module and the Qakbot
Uninstaller DO NOT remediate malware that was already installed
on the infected computer through Qakbot, such as ransomware or
other malware that steals financial credentials. However, the
Qakbot Uninstaller is designed to prevent additional malware
from being installed on the infected computer through the Qakbot
botnet by untethering the victim computer from the botnet. "
> That's pretty sweet that they healed hundreds of thousands of computers
The cynical part of me says that (1) they just installed an NSA backdoor in hundreds of thousands of computers; (2) the FBI probably didn't even realize it; (3) it'll all come to light some years from now when the NSA tooling is leaked by a careless contractor and used by various worse actors; (4) but the "leak" was NSA's plan all along to spy on said various worse actors.
The meta-cynical part of me says all that is way too convoluted and I should take off the tin-foil fedora and tip it to m'lady.
Given the infected folks in question likely had their machines involved in illegal activity, I'm not sure I'd want to test it. If someone starts running a meth lab out of your unlocked cellar, at what point do you become culpable for not knowing?
And are you really going to try to sue the police for shutting down the lab and locking the door on their way out?
> And are you really going to try to sue the police for shutting down the lab and locking the door on their way out?
If the police enter your property without a warrant then sure. The potential presence of illegal activity does not grant the police special powers to skirt judicial process (unless there’s imminent danger to someone’s life or something, obviously). If the police unduly lock you out of your own property on the way out then doubly sure.
Obviously most people will be relieved that their machine no longer has malware on it (save willing participants, which is a different question altogether…). What would piss me off is not being notified, and not being given the chance to remediate myself (what if the police damage other pieces of property on the way and I could avoid the damage if I’m simply made aware), etc.
So let’s go back to the meth lab example: do you think it’s okay for the police to show up on your property unannounced in the middle of the night while you’re sleeping to silently shut down the meth lab without notifying you that they’re trespassing and then slap a lock on your basement door behind which you store your emergency cash, medical supplies, prescription drug refills, personal protection equipment, defensive firearms, etc. without leaving the keys or so much as a word?
Edit (two more things):
1. It’s possible someone might have been running a copy of the botnet for research purposes, so presumably this copy is not engaged in illicit activity and only installed on lab hardware. I wonder if the FBI’s program considered this scenario. Maybe they only targeted IPs involved in actual DDOS attacks? That’d be cool.
2. You can question something without implying it’s wrong. One can both believe the FBI is acting in a responsible and just way while also being curious how this would play out in court. The fervor in your responses seems slightly out of place considering the comment you’re responding to is simply raising a question.
Now, are judges sometimes too easy with warrants? Certainly. But this is definitely not the same as entering your house without a warrant, because the FBI did get a warrant. The warrant involves them promising to a judge under penalty of perjury that the Qakbot Uninstaller they are using makes no further changes and collects no additional data on any of the victim computers they are running on.
So, the FBI is aware of your concerns and is taking steps to alleviate them. Does that make you feel better?
> Oh hey, look at that (…) Does that make you feel better?
What? Why such snide?
I am aware of what happened in this case. I was responding rhetorically to GGP since they were presenting an abstract scenario where the police show up and shut down the meth lab in your basement and then lock you out of your property on the way out… My goal was to highlight the cases where it is and isn’t okay for the police to do whatever they want. It’s not clear if GGP is aware that there are in fact restrictions on what the police can do on your private property in the US. And that even with a warrant there are limits on how the warrant is conducted.
Police can legally enter private property unannounced and shut down a meth lab if it presents an imminent safety hazard. This isn't trespassing. They will not be liable for any loss you suffer as a result as long as their actions are judged to be "reasonable". There is an extensive body of case law on this (at least regarding physical places, not computers).
>If the police enter your property without a warrant then sure. The potential presence of illegal activity does not grant the police special powers to skirt judicial process (unless there’s imminent danger to someone’s life or something, obviously).
So like a computer system actively participating in ID theft and DDoS attacks?
>If the police unduly lock you out of your own property on the way out then doubly sure.
But patching a system doesn't lock the owner out...
>What would piss me off is not being notified, and not being given the chance to remediate myself (what if the police damage other pieces of property on the way and I could avoid the damage if I’m simply made aware), etc.
So you're volunteering your tax dollars for the FBI to track down hundreds of thousands of people across the globe to let them know their systems were patched? I'm not. If this upsets you: don't put unpatched systems on the internet?
>So let’s go back to the meth lab example: do you think it’s okay for the police to show up on your property unannounced in the middle of the night while you’re sleeping to silently shut down the meth lab without notifying you that they’re trespassing and then slap a lock on your basement door behind which you store your emergency cash, medical supplies, prescription drug refills, personal protection equipment, defensive firearms, etc. without leaving the keys or so much as a word?
You're taking the analogy to a place you know doesn't exist. The police don't have a way to notify everyone that's infected, expecting them to do so before shutting down a major botnet is just silly and arguing for the sake of arguing.
Nobody said they were adding a lock, I said they were locking the door on their way out: the lock is already there, you already have the key. When they patched these systems it didn't somehow make the owner unable to login.
> You're taking the analogy to a place you know doesn't exist. The police don't have a way to notify everyone that's infected, expecting them to do so before shutting down a major botnet is just silly and arguing for the sake of arguing.
I don’t think I am. If the FBI can remotely execute code on my machine then they could certainly drop a notification with a link to a page explaining the situation and how to remediate. Or they could use any number of emergency alert systems to make people aware of a potentially harmful botnet. Or they could email the owner of the machine instead of running their own malware.
Anyway as I’ve stated I don’t really disagree with the outcome here. I just don’t think your “let the police do whatever they want to people’s property it’s for the greater good” mentality is healthy, especially not in the US where we very carefully limit the power we grant over violence because we recognize property and privacy rights.
I’m not arguing for the sake of arguing. I think it’s fair to ask: “could this have been conducted in a manner where people were aware and could have provided consent or intervened if necessary and still achieved a similar result”?
(Misunderstood you about the lock part, thought you were saying they were locking the premises because it was a crime scene or something and not notifying you.)
>I don’t think I am. If the FBI can remotely execute code on my machine then they could certainly drop a notification with a link to a page explaining the situation and how to remediate.
You're making a ton of leaps of faith that a user is going to both read and follow the instructions.
>Or they could use any number of emergency alert systems to make people aware of a potentially harmful botnet.
So... you want the FBI to reach out to all of the world's governments and have them issue an "emergency alert" to get people to patch their computers? And you think that's a reasonable stance to take?
>Or they could email the owner of the machine instead of running their own malware.
And they're getting these email addresses how?
>I just don’t think your “let the police do whatever they want to people’s property it’s for the greater good” mentality is healthy, especially not in the US where we very carefully limit the power we grant over violence because we recognize property and privacy rights.
And I think you're arguing for the sake of arguing. Literally nobody said "let the police do whatever they want with people's property". The machines in question were ACTIVELY PARTICIPATING IN ILLEGAL ACTIVITIES. This isn't some philosophical debate.
I’m literally telling you I’m arguing in good faith because this intrigues me. Some day you’ll cool off and have a more level head about you. Then we can continue the conversation.
If the police enter your property without a warrant then sure. The potential presence of illegal activity does not grant the police special powers to skirt judicial process (unless there’s imminent danger to someone’s life or something, obviously).
> If someone starts running a meth lab out of your unlocked cellar, at what point do you become culpable for not knowing?
The problem with analogies is that they assume they are correctly "analogous" but 9/10 times they really describe an entirely different situation, making them unhelpful if not misleading
The problem with analogies is that people who disagree tend to just say "X is not Y" instead of "X is different from Y in this context due to Z". I'm not sure whether that is just a social behavior or if saying the second thing is especially hard.
A duck is not a horse due to... it not being a horse. You can macroexpand Z to "not having four legs", etc., but incomparable things will end up being different just based on their very essence.
"Why can't I pull a small wagon with a team of ducks? I can pull a large wagon with a team of horses."
Useful answers: Ducks are not as intelligent as horses and aren't as easy to train. There is not a good way to strap a harness onto a duck for this task. Ducks waddle and this introduces turbulence. Ducks have substantially less pulling power. etc.
Useless answer: A duck is not a horse because a duck is different from a horse.
The person making the analogy knows that it is an analogy; it is not the source of confusion.
It's not especially hard -- the burden of proof just isn't on the listener. Saying "X is not Y" is just saying "I'm not convinced, you must do better with your analogies". With enough context, one can infer as much
Letting someone run a meth lab in your cellar is pretty obviously not the same as "letting" some malware run on your box, for crying out loud
You're saying that it would be easy to address the point directly, but you won't because it is not your responsibility to do so? I'm not in love with that line of reasoning, but, taking it as fact, surely the analogy is not unhelpful (it successfully conveyed to you why the other person's mental model is wrong) and instead your response is (you do not feel obliged to pass that information along).
"I'm not convinced, you must do better with your analogies" is exceedingly unhelpful if you actually know what the issue is. What do you imagine is the correct response to that? Are they supposed to keep guessing at analogies while you say "Nope!" until they read your mind? Just because the important differences are obvious to you doesn't mean that they're obvious to them (and the fact that they used the analogy suggests very strongly that they are not).
"Obviously not the same thing" is generally applicable to all analogies, valid or otherwise.
Choosing not to say what's wrong with the analogy is veiled criticism that the analogy is worse than just "not applicable" -- it's shit.
It expresses repulsion in addition to expressing rejection.
And, yes, they'll have to guess what's wrong... But the argument my veiled criticism is making is that their analogy is so objectively bad that it won't take them more than half a second to figure out what's wrong with it. I refuse to waste my time explaining because I value my time more than that (even if, perhaps ironically, I don't mind explaining to you why I chose not to explain myself to them)
It sounds like we're in agreement about the facts here (though I am not convinced this is a good thing to do).
For the record, it has been a day and I have not figured out what you believe is wrong with the analogy. Everyone else in the thread seems to be going along with it, except for one person who correctly points out that the 'lock the doors' aspect is irrelevant. I'm not really invested in the answer (my aim was just to defend the usefulness of analogies), but that feels like a data point I should pass along.
Making sure someone is not using your cellar to cook meth requires nothing other than working eyes or a sense of smell one can reasonably expect the average person to have
Making sure you do not have malware in your computer requires specific knowledge that the average person likely doesn't have. Sure, you can take precautions, use antivirus, etc. but those are not foolproof and often involve specific tradeoffs like wasting CPU cycles, unlike the methlab in cellar scenario. They also require knowing you should take precautions to not be infected to begin with, which is rarely the case
The wine cellar exists in the physical world for which we evolved to inhabit. Malware does not.
This does require that the resident of the house is aware that they, in this example, have a cellar to check. Of course, if you aren't aware you have a cellar, you won't have stored anything personal or of import in it that could get damaged either.
I can personally attest that having a working sense of smell is not a reliable method for knowing what something novel-to-you is and it can be easy to misattribute. Decomposition of flesh has a very unique smell in my experience, but it was only through that experience that I now know that that smell is flesh decomposition (and not related to nearby farmland work).
It is pretty amazing (and horrifying) to me that there are also some people who discover that someone else has been secretly living in their home with them. I can only imagine how intrusive that would be and the paranoia that would set in after such a discovery, even if they moved to a new house. I wonder if this has become even less prevalent given the use of internal cameras?
I think this actually rather reinforces your point, even if it contradicts the assertion in the leading sentence. How much can you expect people to know their computer has been co-opted, which might be an almost completely alien environment to them, if it is possible to co-opt someone's home (an environment they are intimately familiar with)?
[As an aside, this is my first post here on HN. If anything I have written above is not in line with the desired tone/content of comments, could someone spare the time to point it out and explain what and how it could be improved, so I can adjust? Thank you!]
Your comment got was marked "dead", so I went ahead and vouched for it + upvoted, which I think now has marked it with the proper respect it deserves. You can vouch for comments after you reach a certain karma level (there are various unlocks for various levels of karma, but nothing that changes your experience here, really)
> "Obviously not the same thing" is generally applicable to all analogies, valid or otherwise.
This feels like nitpicking / grasping at straws / being needlessly obtuse but I'll follow the guidelines and quote-unquote "Assume Good Faith" -- fine, rephrase my comment as "obviously not analogous" rather than "obviously not the same as"
There's plenty of room for security researchers running infected machines to monitor for behavioral and developmental changes in the malware to be more than a little irritated by the notion that the FBI or anyone else abused the malware servers to remove the infection surreptitiously.
>If someone starts running a meth lab out of your unlocked cellar, at what point do you become culpable for not knowing?
Are you implying that the property owner is liable because they neglected to lock the cellar, or because they weren't aware a crime was taking place there?
If the former, isn't that as clear an example of victim blaming as telling people to carry firearms/protection if they don't want to be sexually assaulted?
In a civil society, it is not the responsibility or duty of the victim to set up security measures to prevent themselves from being victimized. It is the responsibility and duty of the culprit to not commit those unlawful crimes in the first place.
Bringing the analogy back to security - who is guilty of a crime when a ransomware attack happens, the victim, or the criminal (who obtained unauthorized access, and used that access to perform extortion)?
>or because they weren't aware a crime was taking place there?
If someone is running a meth lab out of your cellar for a year, and you don't notice the smell, the power bill, the people coming and going, at what point are you no longer able to claim ignorance? If your answer is: you can claim ignorance indefinitely, what is preventing someone from just letting a meth lab be run from their basement and taking cash on the side? If the police can't find the cash, you're just not guilty?
>It is not the responsibility of the victim to set up security measures to prevent themselves from being victimized.
It is ABSOLUTELY the responsibility of the "victim" to not create an environment that FACILITATES crime. If you leave a gun unsupervised and unlocked on your front step, and a neighbor kid "steals" the gun off your front steps and proceeds to shoot and kill their friend, you are going to jail despite you being the "victim" of theft. Your internet connection in this instance is the loaded gun when your systems are being used in DDoS attacks.
With this statement you’re arguing past the person you’re responding to. If you are taking cash on the side to feign ignorance when the DEA comes squawking about the meth lab in your basement then you are clearly in the know.
Nobody is talking about negligence here. Your rebuttal is essentially “well victims can be blamed if they’re being negligent”. Yeah, sure, by definition they’re not just a victim, they’re a negligent individual. (I mean I’d even argue they can be blamed for less—I’m not one of those 100% the victim is always innocent types, but that’s a different topic.)
The original question is if you are honestly unaware (and not negligent) that your property is being used to commit a crime, are you culpable for the crime? The answer is a resounding “no”.
If someone hacks your PC and installs botnet software, and it evades your OS antivirus heuristics and protections because it’s a sophisticated root-kit, then no, you’re not culpable.
>With this statement you’re arguing past the person you’re responding to. If you are taking cash on the side to feign ignorance when the DEA comes squawking about the meth lab in your basement then you are clearly in the know.
Ironic that you're doing what you accused me of. I didn't say the person was taking cash, I asked WHEN op would consider the person to be culpable. You literally took an entire discussion and clipped four words then made up a bunch of stuff I didn't actually say or even imply.
>The original question is if you are honestly unaware (and not negligent) that your property is being used to commit a crime, are you culpable for the crime? The answer is a resounding “no”.
That was NOT the original question. The original question was whether or not someone could sue the police for removing malware and patching their system. My example was the cops shutting down a meth lab and locking the door.
Be my guest attempting to sue, and be prepared to have to defend yourself in a court of law that you were truly unaware. That's going to be a VERY expensive proposition - so who in their right mind would even start down that path?
Yes, and there’s plenty of case law to support that -
In fact, one of the most popular TV shows of all time had its finale specifically addressing the fact that a law needed to be made to discourage “bystanders” from actively ignoring crime.
Landlords can indeed be liable is many ways for some kinds of illegal activity that take place on their property (especially if it involves drugs.) There are a variety of local and federal laws that enable this.
The first sentence of the article describes it as a "multinational operation" and the title credits both FBI and "partners". That makes it pretty clear it wasn't just a US agency operating with the authority of a US warrant.
I must have missed it, but does the article mention that those servers were all located inside the US? (where I supposed FBI has jurisdiction for stuff like this).
> As part of the operation, the FBI gained lawful access to Qakbot’s infrastructure and identified over 700,000 infected computers worldwide—including more than 200,000 in the U.S.
"Lawful access" is doing a lot of heavy lifting, but at least they specified it.
Why are you making it sound like that's some profound revelation? Law enforcement is allowed to run stings, serve warrants and make arrests, you aren't. The military is allowed to invade countries and drop nukes, you aren't. Yes it is legal when they do it and not some average Joe who wants to play hero. That's how the world works, and it is a good thing.
> Why are you making it sound like that's some profound revelation?
I've never claimed any of my musings are profound revelations. That's an exercise left to the reader.
> Law enforcement is allowed to run stings, serve warrants and make arrests, you aren't.
Specifics matter. "The Government" is not some monolithic entity. Even "law enforcement" could be local, State level, FBI, CIA, or some other part of the executive branch. Each has its own restrictions on when and how it can operate.
> The military is allowed to invade countries and drop nukes, you aren't.
> Yes it is legal when they do it and not some average Joe who wants to play hero.
It's an untested open question whether it's legal for them to do it to US civilians or infrastructure that they know is owned by US civilians.
It might be the right thing to do. The world might be better for it. It might even be decided one day that they do in fact have that power (there's a pretty clear argument that stopping a botnet qualifies as "Hot pursuit": https://en.wikipedia.org/wiki/Hot_pursuit).
> That's how the world works, and it is a good thing.
There's plenty of "ends justify the means" situations involving the government that are not good things applied more generally. Hence, specifics matter.
> Whoever, within the United States, knowingly begins or sets on foot or provides or prepares a means for or furnishes the money for, or takes part in, any military or naval expedition or enterprise to be carried on from thence against the territory or dominion of any foreign prince or state, or of any colony, district, or people with whom the United States is at peace, shall be fined under this title or imprisoned not more than three years, or both.
The U.S. hasn't declared war since WWII, so it looks like the entirety of the U.S. military is in violation of this. It's looking more and more like what actually gets prosecuted is a political decision.
Yes, this is true, but in a far more boring way than you imagine. Prosecutors have huge latitude on what to prosecute, and the police on what to direct investigatory resources to. At every point, the unconscious and sometimes conscious politics of the people making those decisions are in play. That’s what makes reforming the system so hard.
Am I reading this wrong or are foreign heads of state that produce nuclear weapons technically committing a crime which the US considers itself to have jurisdiction over? If so why aren't they arrested when they travel to the US?
Where would this leave Elon Musk and his possible servicing of Putin? He'a got money so I know he'll be fine but still kind of shocked such a high-profile government contractor can get away with this kind of thing with no collateral damage to their business or personal effects
Yeah, it's part of the social contract? This is a good thing. It's the same reason I cant just grab a gun and start arresting people as a "good Samaritan".
One of my favorite tricks in dealing with botnets: if you can access the control plane, you can convince the network to do most anything... Including self-terminate.
Imagine if a race condition in someone’s backend was fixed by being slowed down just a little bit by this malware, and then the malware issue was surreptitiously fixed by the FBI and it broke again
Am I missing something or wouldn't the author(s) of Qakbot be able to avoid this attack by cryptographically signing commands and having clients check them?
"To interact with infected hosts, the replacement servers required a certificate that can sign messages. It appears that the certificates were obtained and used for good intentions."
> And the big question is what if your machine is configure in a way that is incompatible with the FBI’s justice.exe and you lose irreplaceable data?
Dude, this is just manufactured outrage. Come on:
> Qakbot delivered additional malware—including ransomware—to their computer
Bemoaning the possibility of the cops trampling your petunias while responding to the arsonist literally trying to take-hostage-or-destroy every square inch of your property is being petty.
In most cases the victims were not aware, meaning they still had ample use of their proverbial property. This is in fact the normally desired state of malware, to act like a pest or a leech - your estate suffers but not in a very noticeable way.
I think most people would object to their yard being turned upside down because some e.g. illegal grasshoppers were present...so in that sense yes they should provide notice...if able.
Which is where the concept of "estate" falls apart a bit. Unless you can positively map every node to a single responsible actor, then it is unreasonable to provide notice. Furthermore, there are so many components to modern tech systems that it is not reasonable that anyone would know or care the exact goings on of their systems (usually).
That is, if you use the web and execute from it, in some sense you cannot (or should not) hold fully liable any one entity, in some small sense the malware has turned your computer into public property anyways, so the actions of the FBI are not entirely unreasonable.
If you cry foul this action then even more so you should cry foul the actions of any public update service etc...vendor updates always carry a similar risk.
What I could say, if there were some common message format for indicating to the user what was to happen, then it would be reasonable to require notification of such. But likely there is no such thing so mainly this argument is rhetorical.
You analogy isn’t accurate. The bot net wasn’t burning down or bricking machines. It was leeching bandwidth and cpu cycles. So a more apt analogy might be animal control sniping bunnies off your petunias and hitting a window with your family heirloom on display instead.
The only thing about this whole thing that makes me double take is that it happened without permission or notice. I really wouldn’t be happy if I found out tue FBI was rummaging around my machine removing files without my consent. It’s still my property and I’m sure I’d be happy to cooperate if the FBI raised to my attention that there was malicious software on my machine.
Legally speaking? While IANAL, looking at the warrant issued and signed, the nature of such a loss would be akin to any other loss incurred during a search and seizure.
In general, such losses are understood as incidental and the searchee is not protected from them. If the police smash your front door in, they aren't responsible for paying to replace the lock; if they think you hid drugs in your wall and take a Sawzall to it, they don't owe you drywall. In the extreme, it's been found that if a flashbang burns your house down during a raid, they aren't liable to replace your house (even if the target of the raid wasn't on that property). Warrants basically suspend some civil rights temporarily; that's why they require a judicial concurrence.
So I have no specific case citation for data loss due to a digital search and seizure, but my guess from analogy is that if you have an unusual configuration (cracked the botnet control program open and stored your private Bitcoin key in there?) and the FBI's counter-net wipes your data, you will not prevail in a court of law, much as if your front door was somehow load-bearing and the cops, upon hitting it with the battering ram, knocked your house over. But since I can't point to a specific case to give precedent, hey, whatever you and the lawyer you can afford can argue, I guess. ;)
Sometimes I wonder why the American public has to be subject to the all the evils of so-called "tech" companies when clearly the US government has the personnel to write safe, reliable software.
Unlike so-called "tech" companies that can smugly ignore Americans' reasonable expectations of privacy in order to generate obscene profits, there are laws that prohibit the US government from engaging in similar shenangigans. (The "shenangigans" should be crimes but money has intervened.)
Even if hypothetical government-issued software might be "inferior" to whatever the so-called "tech" companies are producing, it would still be "superior" from a legal/regulatory standpoint. Americans would have some enforceable rights as software users. (Other countries are making some progress.)
Someone is inevitably going to make a wise crack reply about government contracting in the US. But I'm not referring to contractors. I'm referring to government employees.
We'll also likely see some reply about the technical superiority of so-called "tech" company software. But I'm not referring to technical superiority, I'm referring to (a) legal/regulatory limits on software authors and (b) software user rights.
>"Sometimes I wonder why the American public has to be subject to the all the evils of so-called "tech" companies when clearly the US government has the personnel to write safe, reliable software."
It's not just the American public, it's every computer user—everywhere. The reason is because it's easy.
There's plenty of secure software and systems out there. It's hard to use. The costs outweigh the benefits for most people most of the time. We could all be running Qubes or openBSD but we don't because it's hard. It's hard to do simple things. Most of the world runs on Windows and people are logged in as admin. It's a point and click world.
I don't know if the government needs to write software, but I do think there is room for a vendor to step up, particularly in the business world, with systems that offer ironclad security.
IMO we are in an increasingly dangerous world. I'm surprised the internet connected world hasn't collapsed yet. Every day seems to be a new kind of scam or malware. It takes incredible effort to safeguard systems today. One wrong click and in 5 minutes your entire life can be destroyed. I'm curious what the stats are on malware that has completely destroyed businesses. Cyber insurance policies are almost necessary now even if you consider yourself a skilled user.
> there are laws that prohibit the US government from engaging in similar shenangigans.
If the laws you’re alluding to are steadfast, provide true equal protection and are perfectly enforced I could see greater reliance on government software tools.
However, history is littered with government agencies failing to protect people. Not to pick on the FBI here but the organization’s own J. Edward Hoover wasn’t the most privacy focused person. The group’s HQ is still named after this person.
Perhaps other organizations could be relied on more. People have wanted free tax filing software for a long time.
However, even the IRS has been shown vulnerable to take actions based on pressure from political forces.
Not going to lie, it felt pretty boring. When I read your comment I thought it was going to be a GFX designed warrant with an image of Morpheus offering Neo to take either of the pills, while The Silence of the Lambs was playing in the background.
Even in cyberpunk dystopias, I imagine bureaucracies are still bureaucracies.
This just seems very cool to me:
> a. First, the FBI will identify the current Tier 1
servers (which are also Qakbot infected victim computers) based
on information collected by the FBI.
> b. Second, an FBI-controlled computer will contact
each of those Tier 1 servers using commands built into the
Qakbot malware and Qakbot encryption keys known to the FBI. The
FBI will instruct each Tier 1 server to download and install an
FBI-created module that replaces the “supernode” module in the
already-installed Qakbot malware (“FBI Supernode Module”). The
FBI Supernode Module contains a new encryption key that will
make it impossible for the Qakbot administrators to communicate
with the Tier 1 servers. The proposed warrant would authorize
replacement of the “supernode” module to allow the FBI to
communicate with and search infected computers that make up the
botnet. The proposed warrant therefore also authorizes law
enforcement officers to seize or copy from the infected
computers electronically stored information related to the
Qakbot malware, including encryption keys and server lists used
by the Qakbot administrators to communicate with computers that
are part of the Qakbot infrastructure.
> c. Third, the FBI will contact each of those Tier 1
servers using commands built into the Qakbot malware. The FBI
will instruct those Tier 1 servers to communicate with an FBI-
controlled server (the “FBI Server”) instead of the Qakbot
Tier 2 servers. At this point all communications from infected
botnet computers will be routed through the Tier 1 servers to
the FBI Server, rather than to the Qakbot Tier 2 and Tier 3
servers.
> d. Fourth, infected computers subject to this
warrant that make up the botnet would then communicate with the
FBI Server instead of the Tier 3 server. As noted above, the
Qakbot malware instructs the infected computers to contact the
Tier 3 server every one to four minutes. When those infected
computers contact the FBI Server, the server will instruct them
to download a second file created by law enforcement (“the
Qakbot Uninstaller”). This warrant would authorize this action,
with the intent that computers in the United States that are
infected with the Qakbot malware will download the Qakbot
Uninstaller from the FBI Server via the FBI-controlled Tier 1
servers. The proposed warrant therefore authorizes law
enforcement officers to seize or copy from the infected
computers electronically stored information related to the
Qakbot malware, including IP addresses and routing information
necessary to determine whether the infected computer continues
to be controlled by the Qakbot botnet.
> Step one: Identify the target and its flaws. There are always flaws.
> I learned that early in life. My first hack, the local library, a vulnerable FTP server in its AS/400. A far cry from the Android zero days I'm using to own the FBI standard-issue smartphone. The library was a test to see if I could even get into the system. I've since set greater goals.
> For instance, step two: Build malware and prepare an attack. At my fingertips, the zero day is wrapped in code like a Christmas present, then becomes an exploit, the programmatic expression of my will.
If it's really finally fully down that's great, but it took forever and replacements can be churned out and new networks grown in a very short amount of time.
I'm glad the FBI invested 15+ years and who knows how much money to rid the world of QBot, but this isn't a scalable solution to the botnet problem.
I wouldn't make a big deal out of this, unlike worms, "bots" like this will come back after weeks/months because of the number of people involved and the spread of the malware "kit" (including server side stuff). They are constantly adapting anyways, there isn't a fixed set if domains and IPs you can block to stop it permanently.
They took down emotet as well but it's had a resurgence.
Qakbot in recent years has shifted to a initial access broker monetization scheme where it sells access (cobaltrsike,etc...) to more serious actors who will pay the access fee instead of hiring talent themselves to do the hacking. So they have a strong community of customers. They will need to arrest a lot of people at once and hope they got all the people needed to revive it.
1. if someone installed Qakbot willingly, does the warrant apply (the warrant has what looks to me like specific language limiting it to unaware victim’s machines)?
2. if the FBI’s justice.exe damaged data on a victim machine because of an unexpected configuration, are they liable for damages?
Do you have a citation for that? AFAIU breaking down the door is only allowed with a knock-less warrant, in which case it’s not a mistake.
> An aggrieved citizen might also have a claim for civil liability against the officer or the law enforcement agency for certain unreasonable actions taken in the search. The basis for such claims could include invasion of privacy, trespass, or property damage.
2. No, but if they completely botched the module, possibly yes. See 17:
17. The FBI Supernode Module and the Qakbot Uninstaller do not collect content from the infected computers, nor do they alter the functionality of the infected computers’ operating systems, files, or software, except as expressly provided in this affidavit.
Legally, hacking-back is a fairly new concept, and I'm not aware of the FBI openly doing it at a 'supernode' scale.
They are probably outside of US jursidiction and also seizing servers is much easier than catching a cybercriminal who actually knows how to cover their tracks.
I think the point they are trying to make is that there will still be fires started by the arsonist, so celebrating a single fire being put out while the arsonist is likely busy trying to start another fire looks bad. Even though, as you point out, the Fire Department isn't going to be making any arrests for arson, that's the Police Department's job.
I'm not sure the analogy applies perfectly anyway, since it was "only" a single "fire" in which "only" 700,000 victims were affected.
Most of the large-scale botnet and ransomware activities are operating out of Russia. Not exactly a country that is going to collaborate with US law enforcement.
Yes where are the arrests or elimiation of the threat. There are 17 three letter agencies listed in Wikipedia entry for DNI. Couldn`t one of them worked to `take care` of this botnet operator?
> To disrupt the botnet, the FBI redirected Qakbot traffic to Bureau-controlled servers that instructed infected computers to download an uninstaller file. This uninstaller—created to remove the Qakbot malware—untethered infected computers from the botnet and prevented the installation of any additional malware.
So the FBI used unauthorized access to the computers to uninstall the malware? Scary if you think about it. I'm sure they could have used that access any way they wanted.
Say I left my car unlocked and it starts spewing smoke – is it scary if the fire department break in to put it out? Or if my abandoned building is housing rats, is it okay for the city to break in and deal with them?
The FBI is far from perfect but this is the kind of thing they _should_ be doing, using their unique privileges to help with public menaces. Anyone on the internet could compromise them, too, so I’d prefer a public cleanup.
The problem may be we'll within the FBI domain but their resolution crosses some boundaries that are meant to be protected. To pull this off the FBI would need to use a general warrant rather than a specific warrant as required by law.
In your examples none of them invole solving problems that you would not be unaware of, in ways that you're not aware of without telling you they were there and oh btw they had to rifle through your undwrware drawer to fix it.
> In your examples none of them invole solving problems that you would not be unaware of, in ways that you're not aware of without telling you they were there and oh btw they had to rifle through your undwrware drawer to fix it.
It’s pretty common for there to be problems the owner can’t be reached for - people travel, get hospitalized, die, etc. - but that doesn’t prevent action. What it can do is limit what they’re allowed to bring charges for – in your example, if they said they were pursuing reports of squatters in your house they couldn’t search inside your dresser since that’s not in plain sight.
In this case, I would expect that courts would give the FBI considerable leeway for neutralizing a system which is being actively used to commit crimes but not to check your private data to see if you were cheating on your taxes.
It's context dependent. If I'm filming a movie and want to get a scene where a car is spewing smoke, and the FD runs up while I'm filming to put it out, that is troublesome to me.
It seems like this might be the case here where some minuscule portion of the botnet base is security research firms / etc. who have a reason to have the botnet software installed and don't want it deleted; in fact, it may even affect their livelihood to delete it.
We have to call the local FD if we want to do a controlled burn of a field or fence row. If we don't, nobody is surprised when they show up to put out the fire.
I have to imagine this is similar. If your livelihood relies on a botnet, and you don't at least let authorities know, my guess is you're not a researcher. . .
Your example doesn't make sense though given the context. You can't just light a car on fire for filming purposes. You're going to need to at the very least petition the local government, get a permit, and follow safety protocols that will likely include the presence of the fire department.
This reminds me of frivolous lawsuits. A doctor sees someone needing medical attention. The doctor performs CPR, break some ribs in the process, but ultimately saves their life. The person who would have otherwise died, sues the doctor for breaking their ribs while completely ignoring the good will that saved them from certain death.
It's Also why people normally get a permit or at least contact officials to tell them that they're going to do staging a scene that looks exactly like an accident/crime scene.
It isn't a strike against emergency responders for responding to a situation that someone has staged to look as close to the real thing as possible.
> It seems like this might be the case here where some minuscule portion of the botnet base is security research firms / etc. who have a reason to have the botnet software installed and don't want it deleted; in fact, it may even affect their livelihood to delete it.
This doesn’t make any sense to me: no ethical security firm is going to allow their resources to be used to attack other people, or complain if the FBI shut down the people attacking their clients.
Most of the time they had to have explicit "Bomb Squad" presence, and did things explicitly at bomb ranges.
One time they still managed to damage something outside of the vast location (an abandoned airport I believe) they were working within, and were banned from that location.
> So the FBI used unauthorized access to the computers to uninstall the malware? Scary if you think about it. I'm sure they could have used that access any way they wanted.
The access was always possible. Not just by the FBI. In fact, it was already being accessed by the botnet operators. The issue here is _permission_ and _precedent_. The government gave itself permission to go into these computers and cleanup the botnet. What explicit permission did they grant themselves and what precedent does that set?
I'm pretty hesitant/paranoid about the U.S. government and the powers we (citizens) grant them. But this one surprisingly sits right with me. It looks thoughtfully applied and constrained - a very tactical operation to go in and cleanup a botnet without accessing any unnecessary data in the process.
The access was possible but not legal but they gave themselves legal access. It's a slippy slope. They have placed an unknown file as well on your computer.
There are many situations where law enforcement is authorized (by law) to do something that would normally be illegal. For example here is some language from
18 U.S. Code § 1030 - Fraud and related activity in connection with computers:
> This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
I'm not sure if this is the relevant code for this Qakbot incident, I'm just trying to clarify that the law generally accepts that law enforcement officials get special dispensation from the regular requirements of the law in order to carry out their function or to protect the public.
Police have huge amounts of leeway to wreck stuff and kill people, which do not appear to have happened in this case compared to the mere possibility of abuse.
This was clearly a large-scale coordinated effort spanning multiple countries, multiple organizations within the US including DOJ lawyers, named and unnamed industry partners, etc. This is not a context in which a single group could do unethical clandestine things without the knowledge and buy-in of other parties, nor would it be something the FBI team working this case would have any incentive to do. They were tasked with dismantling this botnet and removing the malware from victim machines, and that is what they did.
Ahhh yes, there is no way windows could be targeted because it is the most popular OS (especially in Business). Removing Windows would allow us to live a malware free utopia...
If all the world's grannies used Ubuntu, malware writers would target Ubuntu, and the spam would include links to Ubuntu malware. Same for any arbitrary other OS.
There already are pretty advanced Linux viruses and I would assume that they would be even more advanced and wide spread if Linux was the primary desktop os
he's right in that windows is horrible spyware cancer made continually worse by an insanely anti-consumer corporation and would be better off gone at this point had it not won the capitalism game
That's valid, but the thrust of the top-level comment is that the computers are infected because they were windows (sounds plausible) with the implication that if windows were not the dominant desktop OS, malware would not exist (which is improbable).
Malware is only rare for MacOS and Linux because those are niche OSes, not because of inherently higher resistance.
He's also wrong thinking that malware is more possible on Windows than other OSes, rather than that Windows is a more popular target because it's the most popular OS in the world.
[1]: https://www.theregister.com/2023/08/28/top_malware_loaders/