Interesting. They're violating their own CFAA law (accessing a computer without authorization or exceeding the access granted) to remove web shells. Legally, this is hacking. Which means that the FBI just hacked a bunch of Exchange servers to clean them.
So the message here is, if you don't clean up your act and you're on a USA network, we'll do it for you without your permission.
The beef is at the end of the article:
This operation was successful in copying and removing those web shells. However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells. The Department strongly encourages network defenders to review Microsoft’s remediation guidance and the March 10 Joint Advisory for further guidance on detection and patching.
The FBI is attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells. For those victims with publicly available contact information, the FBI will send an e-mail message from an official FBI e-mail account (@FBI.gov) notifying the victim of the search. For those victims whose contact information is not publicly available, the FBI will send an e-mail message from the same FBI e-mail account to providers (such as a victim’s ISP) who are believed to have that contact information and ask them to provide notice to the victim.
If you believe you have a compromised computer running Microsoft Exchange Server, please contact your local FBI Field Office for assistance. The FBI continues to conduct a thorough and methodical investigation into this cyber incident.
"This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States."
18 U.S.C. § 1030(f).
DOJ obtained authorization here, most likely under Fed. R. Crim. P. 41(b)(6)(B)--which, interestingly enough, cross-references the CFAA.
That is not ok. A law that purports to outlaw computer fraud and abuse should particularly prohibit the government from committing computer fraud and abuse.
That's not what it does. It clarifies that lawfully organized investigative, protective, or intelligence activities are not fraud or abuse. Which they aren't, by any normal definition.
Warrants have always allowed the bypass of physical security devices, why would digital ones be any different?
Of course not. I'm using CFAA as a moral definition of hacking, not legal. I'd be amazed if this doesn't lead to warrants issued that enable search & seizure on domestic individuals and corporations.
Edit: After re-reading my post above, I guess I did suggest they violated the CFAA in law. Not my intent to say that. I'll leave it as is.
> They're violating their own CFAA law (accessing a computer without authorization or exceeding the access granted) to remove web shells.
...
> I'm using CFAA as a moral definition of hacking, not legal.
Please don't move goalposts; it degrades the conversation. Better to own the error to let the conversation proceed normally, allowing everyone to learn together. (I doubt most of us knew about the LE carve out, for instance)
By default, we expect moral people to conform to the laws of their jurisdiction. Not because the laws are necessarily morally positive; most laws are morally kind of neutral, but because the predictability itself is a good virtue.
Of course, that default presumption can be overcome with a relatively low burden of proof.
I think it is reasonable to conclude they were referring to the bulk of the law that is administrative/procedural/etc. There are 53 titles of US code, and one of those (title 18) is about criminal code. The rest are predominately not matters of morality.
Most things that are legal aren't outlined in the law anyway, they're omitted.
> Most things that are legal aren't outlined in the law anyway, they're omitted.
So for slavery, you would expect the laws to eg deal with run-away slaves etc, not so much with slavery itself.
> I think it is reasonable to conclude they were referring to the bulk of the law that is administrative/procedural/etc. There are 53 titles of US code, and one of those (title 18) is about criminal code. The rest are predominately not matters of morality.
Yes, exactly. And I am presuming here, that there is a presumption in morality that all-else-being equal, it's more moral to stick to these neutral laws, just because it makes living in a society with other people more bearable.
Eg in a moral sense it doesn't matter whether people drive on the left side of the road or the right side. But if there's a law about driving on the books, you better follow it.
(No clue whether this is strictly speaking something about morals or more about ethics?)
> So the message here is, if you don't clean up your act and you're on a USA network, we'll do it for you without your permission.
I am not sure on any prior case law on this, but there's examples in the real world if you leave a dangerous attractive nuisance out in the public space, where it could potentially be harmful to people or animals. Local law enforcement or civic-minded citizens will remove it. It could be argued that leaving exposed outlook web access rooted systems out there for anyone to use on the public internet is not too dissimilar.
On a federal level? If you leave an abandoned ship leaking toxic chemicals anchored somewhere in a bay, don't be surprised if the USCG, a federal law enforcement agency, comes and seizes it...
Microsoft and the DOJ have several times gone to a judge to get permission to take over botnets. The reason being that to do so they take over the botnet and the result is of course that if they control the botnet they then have control of those computers. But you can't completely disassemble some botnets without taking it over.
So the message here is, if you don't clean up your act and you're on a USA network, we'll do it for you without your permission.
The beef is at the end of the article:
This operation was successful in copying and removing those web shells. However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells. The Department strongly encourages network defenders to review Microsoft’s remediation guidance and the March 10 Joint Advisory for further guidance on detection and patching.
The FBI is attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells. For those victims with publicly available contact information, the FBI will send an e-mail message from an official FBI e-mail account (@FBI.gov) notifying the victim of the search. For those victims whose contact information is not publicly available, the FBI will send an e-mail message from the same FBI e-mail account to providers (such as a victim’s ISP) who are believed to have that contact information and ask them to provide notice to the victim.
If you believe you have a compromised computer running Microsoft Exchange Server, please contact your local FBI Field Office for assistance. The FBI continues to conduct a thorough and methodical investigation into this cyber incident.