Schneier on Security
A blog covering security and security technology.
« Possible Hizbullah Mole Inside the FBI and CIA |
| Friday Squid Blogging: Squid with Teeth »
November 16, 2007
Dan Egerstad Arrested
I previously wrote about Dan Egerstad, a security researcher who ran a Tor anonymity network and was able to sniff some pretty impressive usernames and passwords.
Swedish police arrested him:
About 9am Egerstad walked downstairs to move his car when he was accosted by the officers in a scene "taken out of a bad movie", he said in an email interview.
"I got a couple of police IDs in my face while told that they are taking me in for questioning," he said.
But not before the agents, who had staked out his house in undercover blue and grey Saabs ("something that screams cop to every person in Sweden from miles away"), searched his apartment and confiscated computers, CDs and portable hard drives.
"They broke my wardrobe, short cutted my electricity, pulled out my speakers, phone and other cables having nothing to do with this and been touching my bookkeeping, which they have no right to do," he said.
While questioning Egerstad at the station, the police "played every trick in the book, good cop, bad cop and crazy mysterious guy in the corner not wanting to tell his name and just staring at me".
"Well, if they want to try to manipulate, I can play that game too. [I] gave every known body signal there is telling of lies ... covered my mouth, scratched my elbow, looked away and so on."
No charges have been filed. I'm not sure there's anything wrong with what he did.
Here's a good article on what he did; it was published just before the arrest.
Posted on November 16, 2007 at 2:27 PM
• 39 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Wow. He's getting stared down by the Cops, and he *tries* to make them think that he's lying? If I were him, I'd try to make them think that they were lying. Divide and concur. Sow the seed of doubt in their minds. Or, you know, tell the truth that you didn't really do anything illegal. I'd do anything but make them more suspicious of me being a criminal.
During the '90's it seemed that a "firewall" was the perfect panacea for security: a little icon of a burning brick wall was the stamp of approval needed to get your network design improved. Nowadays it's "encryption," with an icon of a closed padlock, that solves every security problem. I'm really looking forward to the day when "actually understanding the tools you're employing" gets a catchy little icon that can be put on the Visio diagrams...
The good cop / bad cop ploy is standard, but how does having a crazy mysterious guy stare at the suspect from the corner help to elicit confessions?
If you don't confess to the cops, they'll hand you over to Mr. "crazy mysterious guy stares at the suspect from the corner", and he'll "help" you confess?
If no charges were laid, then strictly speaking, it sounds like he _wasn't_ arrested. But then I'm not familiar with Swedish law.
By the standards familiar to me, those of Canada, it reads like what happened to him would fall under the category of having his house vandalized, his stuff stolen, and himself kidnapped and wrongfully detained, and his right of Habeas Corpus generally spat upon.
'Wondering if "crazy mysterious guy in the corner" really refers to Bruce's picture above... ;-)
Bruce is not a "crazy mysterious guy." He is a "crazy _cryptic_ guy." Big difference.
The crazy guy in the corner was Kermit, I expect.
"If no charges were laid, then strictly speaking, it sounds like he _wasn't_ arrested."
I don't know how they do things in Canada, but in the U.S. (and I imagine in Sweden, too) if police confront you, show you their badges, and then take you away to a police station, you've been "arrested."
Filing charges has nothing to do with it. You're arrested and booked on "suspicion" of ______.
If the Tor user can determine or believes that certain exit nodes are trustworthy, and if encryption is not feasible, he can use only trusted exit nodes for sensitive activities such as logging in. Getting a trusted exit node to come up could take a lot of time, however.
A Tor-checking site can be useful for noting Tor exit node IP addresses and handles. Once the user is familiar with trusted Tor exit node IP addresses, he can use software to see when he is connected to one of those exit nodes. There is a Firefox add-on, external IP, that will display the current external IP address in the statusbar, and can be set to announce that the external IP address has changed. There's a chance, though, that there will be an exit node switch, perhaps from a trustworthy one to an untrustworthy one, at a bad time.
Reading about Dan Egerstad's project got me to realize that sifting data exiting Tor may be more widespread than I had guessed. For non-expert users such as I it's easy to fall into simply enabling security software and letting it run without paying it much mind.
>and his right of Habeas Corpus
>generally spat upon.
Nice buzzword...might want to look up what it means before using them though.
He was interrogated for two hours and released.
If the courts in Sweden work anything like the courts in the U.S., even if his attornies were given two week advanced notice of the exact time, place, and reasons he would be arrested, they still wouldn't have been able to get a petition filed, heard and and a habeas order issued and delivered to the police before he was already released.
This "security researcher" absolutely had this coming and deserved it.
Why anybody would defend his actions is beyond me.
First to clear up some things,
He was picked up and interrogated as a suspect of "unlawful access to a computer" and later released.
The mystery man is most likely an agent of the Swedish Secret Service.
The prosecutor, Håkan Roswall, is the same incompetent which is responsible for investigating the Pirate Bay.
So what we got is basicly Swedish police doing what is it absolutely worst at, investigating what it believes to be a IT-crime.
(Actually, what it is worst at is to identify a actual crime... "Oh, so someone stole your credit card over the interwebs? Though luck, we don't have the time or resources to investigate." But then: "A high profile, high media interest, possibly, maybe crime! We'll get right to it!")
@ A Swede,
"A high profile, high media interest, possibly, maybe crime! We'll get right to it!"
It's the same in most parts of the world, the rest you just disapear...
Fagin's old song needs re-writing from,
In this life on thing counts,
In the bank large amounts.
In this life one thing counts,
Political clout in large amounts,
It isn't money that counts any more, but which persons in power you can make look silly the most, and if you do it wrong they want revenge in large measures.
It looks like Dan Egerstad is just begining to learn this the hard way.
In Europe a number of people dug out information on corruption at high levels in the E.U. and have spent quite a bit of time being arrested and having the homes and officies turned over and their paperwork / computers etc taken (and invariably not returned). Likewiise E.U. employees whos job is to investigate fraud when they have found it and tried to bring it to the attention of those (supposedly) in charge, they have found themselves suspended then dismissed and subject to police investigation...
The more things change, the more they stay the same...
25 years ago, as the microcomputer revolution took off, folks tended to communicate by dial-up bboards. There were lots of discussions on hacking, phreaking, piracy... All sorts of things were openly talked about. Things that various people-in-power would prefer to remain confidential.
BBoards would abruptly go silent. Phones would stop being answered. Sometimes you found out what happened. Sometimes you didn't.
It was called "Being visited by the men in brown shoes".
They rarely arrested or prosecuted anyone. They just came in and took all of your gear. Kind of like getting robbed. If you made a fuss, then the started prosecuting...
When you're out a couple of grand worth of hardware... You don't bounce back from that very fast... (This was a quarter of a century ago when salaries were a lot lower, and a grand went a lot further...)
The more things change, the more they stay the same...
You might want to read up on the story of Steve Jackson Games vs United States Secret Service, and the founding of the Electronic Frontier Foundation.
The legal aspects of this are certainly interesting. At first glance, I was tempted to play Devil's Advocate for the police because Egerstad published passwords to third party email accounts. Even though the victims were naive and stupid to send unencrypted sensitive information into TOR, is it right to take advantage of their mistakes? (whatever the motivation).
Upon reflection, I think the parties who trusted TOR have to face the fact that they screwed up. Let's say that I decide to post my email address and password on Bruce's blog then next day bad things happen. Is it Bruce's fault that I misunderstood the risks in publishing my personal details here? The TOR software I have used posts a warning about the privacy limitations of TOR. I visited http://www.torproject.org/download.html.en. By changing the suffix from "en" to "ru" and "it" and so on, you can see that some effort has been made to provide ,multilingual documentation available (but I'm not sure if Farsi is catered for)
What a pity that the Swedish police apparently didn't make adequate legal preparation before raiding Egerstad. Perhaps I'm naive but I'd have expected the police to have a charge prepared before the arrest.
he was not firste men. he just fucked our system. bad luck to him he tell evrybody the system. to much talk go to jail good!
Police: Bork de bork-bork de bork?
Dan: But I didn't do anything!
Police: Bork de BORK BORK bork!!
Maybe he is being punished for raising awareness. The NSA runs a number of exit nodes and maybe they are pissed that this is going to cost them some intelligence.
By operating a Tor server, Egerstad was offering a service. If any of the users exposed on the Internet were legitimate owners of the accounts, didn't he betray the trust of those users by posting email credentials? Never mind that it was easy to do; it is always easy to exploit people who trust in a security measure, or a person's intentions. You can not say, to quote Bruce in his podcast for Educause, "it's her fault for walking down that ally." (Bruce, you seem to disagree in your post above, but I know we are not comparing apples to apples here... sorry if I am mis-using that statement).
I think releasing the credentials the way he did may have been a lapse in judgment. Yes the community needs to know that the tool they are using can be exploited, and easily. But the "shock" approach is not the only way to market and distribute an important piece of knowledge, and probably not the best way.
If no damage was done as a result of his actions, perhaps Egerstad will come out of this without any further consequence. If there is no specific law about posting other people's private credentials on a public web site, better still for him. But you can look at this from a liability standpoint as well.
Suspend disbelief for a moment and assume that, prior to the release of account credentials, nobody with malicious intent had compromised the account belonging to the Office of the Dalai Lama. As a result of the posting, the account could be compromised, and people or governments wishing to subvert Tibetan independence could prosper from the information, to the detriment of the Dalai Lama. If nothing else, Egerstad would have committed a tort against the Office of the Dalai Lama. Whether there would ever be a consequence for Egerstad, I do not know. But if he thought it through, would he want to potentially subvert Tibetan independence?
I admit that the above has movie-plot elements. But even if I have to resort to reductio ad absurdum, it seems like the question of whether Egerstad did something wrong should be argued. There is certainly the potential for wrong, is there not? Why increase the security/privacy risk to the users of his own exit node? Is that raping someone to prove that rape is a possibility?
If Egerstad defines himself as a researcher, his best approach is to research a better way of protecting privacy on the Internet and submit it to peer review. An open-source project, even a 'fork' project, would be possible suggestions. Another approach would have been to raise awareness of the problem without increasing anyone's exposure to risk, if possible. Instead he took action without knowing (or caring?) what the result would be. Acting without knowing the consequences of your actions, in legal terms, can amount to either negligence or recklessness.
On the note of recklessness, recall that Egerstad is quoted as saying 'Screw it, I'm just going to put it online and see what happens'. That is from the article here. Note that he might have elevated the charges against himself from negligence to recklessness in that quote, if laws in his country are similar to US laws on such matters. What is important for Egerstad to know is this: if his actions damaged an innocent party, he was either reckless, or at best negligent. I hope I am not alone in my feeling that a 'security researcher' should avoid recklessness.
I'm no expert in Swedish law either, but I do know that in UK law, one is usually arrested on "suspicion" of a crime. Charges follow later. Later can scandalously be 28 days currently, and the government is asking for that to be extended to 56 days.
If you're suspected of terrorism, you can be placed under a control order - similar to house arrest - after a trial that you may not be permitted to attend, and you may not be permitted to know the charges.
What Egerstad SHOULD have done was to contact each and every one of the affected parties individually and inform them that their passwords had been compromised and would continue to be compromised so long as they didn't enforce secure transmission protocols.
However, Dan had thousands of passwords, hundreds of them from potentially highly sensitive locations so he took the easy route and simply published them along with his research.
As for the illegality of what he did, the passwords were passing through his exit node unencrypted anyway, all he did was identify certain bits of information that certain users voluntarily sent through his computer and stored them... then published them. He hasn't claimed to have used the passwords or any other sensitive information that he may have stored. I would be very surprised if any charges stick to him.
If it were me, I would have emailed every address on the list first to warn them about what I was about to publish... however that's the sort of action that could end up making me "disappear" prematurely so maybe the way he did it was the safest for his personal safety.
He stated in an interview that did try to contact an unnamed embassy but after being disregarded and dismissed he decided to go on and publish. I guess he could have tried a bit harder, but the guy is hardly older than 25 and perhaps not that good at judgement calls.
"– Jag har försökt att kontakta en ambassad och fick ett dåligt mottagande. Jag kan inte gå in på detaljer, men de lyssnade inte över huvud taget."
"I did try to contact an embassy and got treated badly. I can not go into any specifics, but they did not pay me any attention what so ever."
@Dave, "So Egerstad set about notifying the affected governments. He approached a few, but the only one to respond was Iran. ...
Frustrated by the lack of a response...He posted 100 email log-ins and passwords on his blog,"
So he tried direct contact and was ignored, then publicly posted a rather small sample to demonstrate the issue. Sounds like he handled it responsibly.
@Spider, create cognitive dissonance. Tell them what they want to hear but with body language that tells them not to believe it.
Well, in the US, what he did would qualify as illegal under the ECPA (18 U.S.C. 2701-1) [I think that's the right numbers]. Anyway, as he was providing a public service, he did not have the rights to spy on the communications passing through his servers. Apparently the Swedish law may have a similar statute.
Yes, he was the admin on the boxes in question. No, he did not necessarily have the rights to peer into private communications a la ECPA, Wiretap act, and the Trap and Trace act. (If he were in the USA.)
@Matt from CT
">and his right of Habeas Corpus
>generally spat upon.
Nice buzzword...might want to look up what it means before using them though"
You're right. Thanks for setting me straight...
That was my first thought too, but then if so many of them were really illicit account holders, he might actually be notifying the wrong people. That was the "catch 22" that brought me to the conclusion that a much more cautious approach might have been better. Ultimately, I don't think any charges will stick either, but they will probably scare the pants off the guy in the mean time.
My thoughts exactly. If you are my landlord, it does not mean you can hide secret cameras in the house. If you own a bridge, it doesn't mean you can install skirt-cams to catch ladies walking across. Phone: no, you can't tap me just because you're the provider. The latter two examples and the exit nodes are what we call "instrumentalities of transportation and communication" (in contract law anyway), and controlling them does not grant the right to spy on people using them.
Wow, a lot of people are accusing this guy of acting irresponsibly without saying what else he could have done (except those who say he should have contacted the compromised parties first -- you need to read the article again).
He acted in the only way that makes sense. I'm Canadian, and if a Canadian embassy was compromised, I feel like I should thank Mr. Egerstad.
If he sent an e-mail to the embassy warning them their communications could be intercepted and they ignored him, publishing the account details was exactly the right course of action. Now there is absolutely no ambiguity about what information has been leaked, and the security hole must be closed. We are all safer for it.
Not to mention he's safer for it too. As Dave suggested, only sending out a limited number of private e-mails would have made it easier for him to "disappear."
You can bet Egerstad wasn't the first person to think of this fairly obvious attack. All those accounts *were* compromised. He just let us know about it.
What I can't grasp is why he actually published the full usernames and passwords. Why not just publish part of the username and maybe first two or three letters of the password?
Unfortunately we see quite a lot of this behaviour in Sweden.
I don't think the prosecutor actually believes in the charges himself. Seriously, "dataintrång" does not cover looking at traffic other people send to your computer, that's obvious.
This individual did something to embarrass the establishment in a way that can never lead to him being convicted in a court of law. Instead, the people in high places use the police and prosecutors to harass the guy - as simple revenge.
Not very pretty, but that's Sweden for you. In the US, they would probably have called him a "threat to national security" and poof, he just disappears into a prison that doesn't even exist.
The ECPA (18 U.S.C. 2701-1) was mentioned above, but wouldn't apply in this case, as it "... does not apply with respect to conduct authorized ... by the person or entity providing a wire or electronic communications service."
I didn't actually read the article at all the first time. It's from the Sydney Morning Herald and they rarely have anything new to add to any discussion.
Egerstad mentioned back in August that it was impractical to attempt to contact everyone on the list.
What I SHOULD do and what I actually do aren't always the same thing either. I see lots of compromised websites in the logs of our sites as part of attempts to compromise our webservers. What I should do is contact the owners of every site being used in an attack and the owners of the IP address actually perpetrating the attack and inform them all of what is going on and teach them how to stop it happening. What I actually do is ignore it... and occasionally blog about it.
@dragonfrog: Because the Swedish law is german civil law inspired, I doubt there is an "habeas corpus" right (at least named like that), second some legal system (France for example) give the police some extraordinary power if they want to arrest people while they are doing something illegal. The whole problem here is seeing if Dan did something illegal or not.
There are a lot of really incorrect things about the law being said in the comments, but I'll only addres a few:
the relevant U.S. law is not 18 USC 2701, (stored communications) but 18 USC 2511 (wiretap).
If there's a server in the U.S., then it's likely subject to U.S. jursidiction.
Being questioned, arrested, and charged are all seperate, but possibly overlapping dispositions.
I would finally ask why, if providing a service and listening on it, and then publishing otherwise private data is acceptable, there is the uproar there is over secret rooms at phone companies.
If at&t started publishing the passwords and usernames this comment board would be in an uproar, and rightfully so. Why is this different?
> I would finally ask why, if providing a service and listening on it, and then
> publishing otherwise private data is acceptable, there is the uproar there
> is over secret rooms at phone companies.
I'm not exactly sure that what Dan Egerstad did was *entirely* kosher (it's certainly slated a little towards the sensational), but there are several differences between what he did and secret rooms at phone companies.
First is the level of service provided. The Tor project itself documents what service the Tor network is providing, and gives a very well written account of what services the Tor network are *not* providing (see http://www.torproject.org/, specifically http://www.torproject.org/...
More pointedly, they specifically mention exit node eavesdropping, and make it pretty clear that users should regard this as a potential security threat. (https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#ExitEavesdroppers)
Second, Egerstad did not publish all usernames and passwords that came through his exit nodes, he posted "inter-governmental, NGO and high-value corporate email" credentials. Certainly all of these are large public entities that ought to have better security practices, particularly as they have a public duty. Publishing them is certainly embarrassing, but an effective way to publicize the problem.
Finally, neither the Tor network nor the telecommunications companies have a public responsibility to protect data outside their network. Egerstad was monitoring an exit node, not traffic inside the network itself. The secret room (allegedly) was monitoring traffic inside the network, which the telecommunications companies have an acknowledged and legally encoded public duty to protect from government wiretapping without warrant.
The pertinent question is if Tor is a public service. Inserting yourself into a public infrastructure does not somehow will the users of that infrastructure into having given you consent to monitor their data. The Tor project's choice to describe what the protocol protects against and what it is not able to protect against should not be an excuse to give users less security.
To put it another way, why should the legal protection decrease at the time the technological protection decreases? Shouldn't it be the other way? Shouldn't the law be the most protective when there isn't a technological protection available? Because a door lock is vulnerable, does this mean that breaking and entering is permitted?
The second point makes the argument that because these passwords were particularly important, that is more justification to expose them. Presumably, unimportant passwords however, should not be exposed. Why is it, again, that as the value of the data increases the protections for it should decrease?
I would have more sympathy for the underlying argument (that this protects against future attacks more than the harm of the current attack) if running tcpdump on an exit node was a novel, or previously undiscovered 'attack.' That's far from the case.
The final argument is that a service provider (presumably those who run exit relays are service providers with regards to the relay) doesn't have an obligation to protect data outside their networks. Agreed.
Conceding that data still on his machine, merely unencrypted, is "outside" the network, how does this help the argument?
Instead of being a trusted member of the network, who might even have an excuse to monitor the network (if what he was doing was maintenance related), now he's no different than someone sitting outside the network listening in on the conversation? How is that better?
Is it because he's no longer betraying their trust since he's outside the network? That's a hard argument to maintain given that the data only got to him by virtue of his involvement in the first place.
The legal duty that affects the telecommunications companies applies just as fully to small providers, as it should. The inside/outside the network distinction cuts against the point for two reasons. 1) Data inside the network is presumably entrusted to the provider, and in fact the U.S. law has exceptions carved out for monitoring during maintenance, etc.; 2) those who listen in on conversations outside the network can have no legitimate claim to the communication.
I'm unfamiliar with what law creates the duty that forces the telecommunications companies to protect their communications from government wiretapping without a warrant. My understanding is that the law protects all communications from wiretapping, and then carves out exceptions, for maintenance, for those involved in the exchange, and for duly authorized warrants, amongst others.
Our discussion is a little muddled here as we're discussing simultaneously legal and ethical implications.
Legally, I have no idea if what Egerstad did was wrong. I'm unfamiliar with Swedish telecommunications law.
Ethically, I have reservations about what Egerstad did. If he took steps to ensure that he informed those people whose credentials he'd sniffed that he was going to publish those credentials, then the value of publishing them (for the sake of publicizing the problem) vastly outweighs the harm (basically, just embarrassing people who ought to know better).
> Shouldn't the law be the most protective when there isn't a
> technological protection available?
There's a couple of different ways to look at that question. Either way, though, the law is supposed to exist to protect you from harm, no? It's very easy in this particular case to argue that Egerstad is attempting to protect people from harm. He's not using the account credentials himself for nefarious ends (presumably). He's publishing the credentials (supposedly) to raise awareness that people are using the Tor network without understanding what it is they're getting. There is a sensationalism aspect to it, sure, and you can argue that he did what he did to get himself in the press - this is the sort of thing that Marcus Ranum would probably sneer at. But it's certainly the case that the more sensational the story, the more coverage it gets, and the more likely it is that people who may be misunderstanding how secure Tor makes them might learn about it. Taking into account the fact that publishing this sort of thing is very, very likely to get you in hot water (as shown here), and that Egerstad is clearly not an idiot and knew this ahead of time, it's reasonable to assume an altruistic motivation here.
> The second point makes the argument that because these passwords
> were particularly important, that is more justification to expose them.
That's actually not what I was trying to say. What I'm trying to say is that exposing that set of credentials more thoroughly illustrated the extent of the problem, but publishing a bunch of "everyday Joe" credentials doesn't add much.
> I would have more sympathy for the underlying argument ...if running
> tcpdump on an exit node was a novel, or previously undiscovered
> 'attack.' That's far from the case.
This belies a security researcher bias. Clearly a large percentage of people who use Tor are unaware of the implications of what they're doing. To these people, this *is* an undiscovered attack. Publishing it in a way that gets it out of security researcher publications and into the mainstream media raises awareness.
> Now he's no different than someone sitting outside the network listening
> in on the conversation? How is that better?
How is that relevant? If the network engineer that provided the bandwidth to the Tor nodes (which they certainly could do, being able to monitor the interface) had published these same results, the action would be essentially equivalent, and we'd be discussing it essentially on the same grounds.
> I'm unfamiliar with what law creates the duty that forces the
> telecommunications companies to protect their communications
> from government wiretapping without a warrant.
Case law, Katz v United States, Supreme Court decision 1967.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.