So the FBI accessed privately owned devices from Wireguard and Asus to mitigate a Russian botnet infection that wasn’t active yet. I get the understanding of why, because Russian.
What I am more concerned about is the fact that they CAN at any time access privately owned devices and do as they will with them. This has been speculated and talked about at security conferences for years and it’s always been denied. This is the govt straight up pointing out the fears and speculation have been true the entire time.
The implications of this are immense. Will the security community unite against this admission or will they just push it away as “because Russian, therefore govt can do what it wants” ?
Chances are, this was because the affected devices were still using publicly known default passwords to access the compromised device. Something botnets will not change as not to rouse suspicion from the legal owner(s).
So, effectively, what the FBI did was legally wrong but morally justified by preventing the legal owner, most likely an American citizen, to become victim of cyber-crime and/or -criminals.
And while it might be believed to be a Russian attack, it could have very well be the true owners of the botnet are not in Russia, but in Iran, North-Korea, China, Israel, Venezuela or any other country which has an interest in attacking the USA. And/or it’s allies. It might not even be a country, just a group of criminals, like the Maffia in Italy, drug-kartels in Central/South America, African warlords, whatever. Thing is, we’ll never truly know who really owns that botnet. But the risk it posed has been neutralized or at least significantly reduced. Which is good
thing is if the police drive by your house and see your door unlocked and the keys in the lock.
they will stop and check to see if all is ok.
this may include entry to the premises.
this is no different if the fbi used default passwords as you basically just left the key in the lock.
and as long as they do nothing other than lock the door and dont make there own key. i have no truck with it.
yes its a potential privacy violation. but only if they broke in…
you left the door open, your lucky it was only the fbi.
Yup. I was just about to chime in and mention it’s not the first time the FBI has intervened in disrupting C2C servers. Last year they removed web shells from thousands of vulnerable Exchange servers and then patched the vulnerability to prevent reinfection afterwards.
I think it comes down to a question of should the FBI be involved in either mitigating security concerns or taking offensive actions against botnets. But, in both situations it was a judge that signed a court order that allowed them to access these servers. So, if we’re disagreeing with the actions of the FBI then I feel the judge is equally responsible.
While this is a possibility with say the consumer Asus units, the Wireguard are commercial units and it’s doubtful that all of those still had a default password on an outward facing connection.
I’m not a sysadmin (except for my own systems ) but I’ve seen comments from those that are on the probability of sticking to default passwords. In short, it’s more common that one wants to believe is the consensus there
True and they tried to make it sound less awful from a security standpoint that they conferred with other countries to get this done. The FBI is not supposed to be involved in this kind of work, it’s outside of their jurisdiction, this should have been handled by the NSA/CIA due to the nature of dealing with countries outside the US. It just smells weird …
The infections were only on Watchguard appliances with the management interface exposed to the internet. Not sure if it was default credentials or an RCE but I can guarantee the “admins” that incorrectly configured them will not be installing the latest security patches. It’s a 50/50 for me whether we should patch them or just brick the firmware to get them off the internet
Trust me on this. If you are outside the US, or even in it, you at this stage optimistically you have 0% trust in either the NSA or CIA to do anything good, realistically that should be in the negative numbers.
While the FBI may not be the best conduit, ever the plain wrong one, they have better sway with the rest of the world. NSA and CIA are abusive hired thugs that care not for anything other than their own secrecy.
Edit: Which is not to say FBI good this is still bad and your concerns very valid, but while there is debate over whether they leave as they came, or not, we know for sure that the other two will live in those systems forever if they don’t get caught.
but the simple truth here is they knew if they just emailed the owners, the chances of the owners not immediately putting the email in the spam folder, actually reading it and following through. are slim to none. after all if you have been on the internet long enough you have had multiple emails from the fbi.gov.com . you know its auto going in spam.
but like i said if they are legitimately fixing stuff and not tampering with it themselves.
and then inform you that its been done with complete transparency.
giving you a report on what they found and actions they took.
that can be independently verified.
all i can say to that is fair enough.
sure im not happy that its happend but its what you pay them to do in your taxes. look after you and your interests and keep you safe…
sure they aint your friends. but they are your security services, which means there job is to keep you and yours secure. despite your best efforts to give everything away
Didn’t the Feeb, just use the existing vuln to stop the spread? as in, the same vuln that the malware used, to get into, then co-opt that the un-patched servers and continue spreading?
The admins could [should] have patched it themselves, and should be lucky it was not other bad actors?
Its a defensive sort of hack for the actual benefit of the owner and the internet in general.
From the sound of it, they’ve always had this capability and if given the choice between this and planting a malware to a suspected member of a drug cartel. A hack that would actually protect you is desirable.
If a judge was involved and decided it was lawful, then I’m all for it.
FBI still feels more honorable as an outsider’s perspective. CIA and NSA feels more crooked and abusive for a reason…
Honestly any 3-letter intelligence (or any letter count really, usually 3 like KGB in Russia’s case, CIA, FBI, etc) organization are literally the least trustworthy institution ever created by human history. Deceit and secrecy is their forte. Plus they almost always tend to be autocratic, even just to justify their existence. If these people can do bad things and then admit to it many years later why would they have stopped?
I know this sounds a bit stark and blunt on my end. I certainly don’t share a positive opinion of such entities myself.
In Germany, that is called “Gefahr in Verzug” (rough translation “Imminent danger”) meaning it is their duty to protect unsuspecting citizens from harm.
If this was to happen in Germany, there would be a letter in the snail-mail one day. Sure it would cause action on the recipients part, but a day too late.
Yeah hard call but to anyone dumb enough to use a default password or forget to change it who knows what else they did or could have done. Maybe you got used as a ddoser for both sides of the cyber war. Maybe you still are? All I know is that this bullshit has me checking for updates damn near daily on my servers.
Edit/addition: Also checking my running services and processes.
This doesn’t really translate, there was no key left in the door, you guessed the number on my padlock but you still broke in.
And IMO some botnet is often enough just some idiot-savant’s project that I would take something like that existing over having a subsidary of the worst crime network kick the door down to “do the right thing, trust me bro”
) but I’ve seen comments from those that are on the probability of sticking to default passwords. In short, it’s more common that one wants to believe is the consensus there 
. you know its auto going in spam.