LOPSI 2 : retour sur l’affaire Timberlinebombinfo

, par antoine

Ici en France, une nouvelle loi, dite provisoirement
« LOPSI 2 » doit autoriser la police à utiliser des logiciels espions (spywares) pour ’écouter’ les ordinateurs des particuliers sur autorisation d’un juge.
Dans ces circonstances, il nous semble intéressant de revenir sur l’affaire « Timberlinebombinfo ».

LOPSI 2 : Retour sur l’affaire Timberlinebombinfo.

La future loi destinée à permettre à la police française de placer des logiciels espions a été annoncée par "Le Figaro" le 14 décembre

Dans ces circonstances, il nous semble intéressant de revenir sur l’affaire « Timberlinebombinfo » ; ici résumée par O1.Net

Ci après, non traduits et très légèrement mis en forme, des extraits des 18 pages de la déposition de l’agent du FBI qui a installé ou utilisé le spyware (CIVAM dans le langage judiciaire américain) pour ’logger’ le jeune lycéen et auto-proclamé cyber-génie (ses mails valent le détour).

Cette déposition préfigure la manière dont, en France, la LOPSI 2 va être le complément, pour ainsi dire naturel du décret du 24 mars 2006 (conservation des données pen dant 1 an)
(dans le cadre américain c’est le fameux « Patriot Act » qui est invoqué par l’agent, tant pour les demande de « log » aux FAI que pour l’utilisation du spyware).
Cette déposition vous montre aussi, concrètement, ce qui se passe quand no-log (ou un autre FAI) reçoit une demande de logs sur réquisition judiciaire.
(autres remarques après les extraits de la déposition)

Glossaire express :
 affidavit = témoignage devant une cour de justice.
 warrant = autorisation légale (typiquement un mandat de perquisition)
 the United States = dans un cadre judiciaire : le gouvernement américain.
 to broadcast = diffuser
 the unknown subject = ici l’individu anonyme
 a threat = une menace
 a hint = une suggestion
 heirein = en ce lieu (langage protocolaire)
 to jeopardize = mettre en péril

WESTERN DISTRICT OF WASHINGTON

AFFIDAVIT number MJO7-5114

of JUNE 12 2007

« U.S. FBI Special Agent Norman B.Sanders being duely sworn depose and say »

« I am a special agent for the Federal Bureau of Investigations... I am currently assigned to the the Seattle Office’s Cyber Crime squad ...
I submit this affidavit in support of the application of the United States for a search warrant.... Essentially, if a warrant is approved, a communication will be sent to the computer being used to administer :
www.myspace.com (« MySpace »)
user account « Timberlinebombinfo »....

In this manner, the FBI may be able to identify the computer and/or user of the computer that are involved in commiting criminal violations of the United States Code ...
More specifically, the United States is aplying for a search warrant authorizing :
a) the use of a computer and Internet Protocol Adress (« IP adress ») Verifier ...
[footnote : Section 216 of the USA Patriot Act]
b) ... to send network level messages containing the activating computer’s IP adress ans/or MAC adress....
c) That the FBI receives and read within ten days, at any time of day or night, the information [given by the CIPAV]

In general, a CIPAV utilizes standard internet computer commands commonly used over area networks (LANs)... the exact nature of these commands.... is classified.
As such, the property to be acessed by the CIPAV request is the portion of the activating computer that contains environnemental variables and/or registy-type information such as
the computer’s true assigned IP adress,
MAC adress,
open communication ports,
list of running programms,
operating systems (type, version, and serial number) internet browser and version,
langage encoding,
registered comuter name,
registered company name,
current logged-in use name,
and Uniform Ressource Locator (URL) that the target computer was previously connected to.

An Internet service Provider (ISP) normally controls a range of several hundred (or even thousands) of IP adresses, which it uses to identify its customers’ computers.
IP adresses are usually assigned « dinamically » : each time the user connects to the internet, the customer’s computer is randomly assigned one of the available IP adress controlled by the ISP.
The consumer’s customers retains that IP adress until the user disconnects...
Once the user disconnects ... that IP adress becomes available to other customers who connect thereafter.
However) ISP business customers will commonly have a permanent, 24-hour Internet connection to which a « static » (i.e. fixed) IP adress is assigned.
Every time a computer accesses the Internet and connects to a web site, that computer broadcasts its IP adress along with other environment variables. These environment variables ... may assist in locating the computer ...

The hard drive of some computers contain registry-type information. A registry contains ... informations about what Operating System software and version is installed, the product serial number of that software, and the name of the registered user of the computer.
Sometimes, when a computer connects to a software vendor’s website for the purpose of obtaining a software upgrade, the web site retrieves the computer’s registry information stored on its internal hard drive.

THE INVESTIGATION

.... On June 4, 2007, Timberline High School received a bomb threat
[by] e-mail from sender
« dougbriggs123@gmail.com »
On June 5 ; 2007, the unknown subject sent a email from
« dougbrigs@gmail.com stating...
« Oh, and for the police officers and technology idiots at the district office trying to track this e.mail... I can give you a hint. The e.mail was sent over a newly made gmail account, from overseas in a foreign country. ... So, good luck talking with Italy about getting the identity of the person who owns the 100Mbit dedicated server »
In another e-mail, the unknown subject states the following :
« HAHAHA... it’s coming from Italy. Oh, and this e.mail will be [sent] behind a proxy behind the Italy server ».

School administrators ordered an evacuation of the school on June 5, 2007

On June 7, 2007, Detective Jeremy Knight, Lacey Police Department, received information from the Thurston County Sheriff’s office which had received a complaint from a person identified as A.G.
A.G stated that he had received an information through myspace.com from the MySpace profile of
« Timberlinebominfo »....

On June 8, 2007, Comcast Internet, New Jersey, reported that
residential adress ...... received Comcast Internet services from the following suscriber :
S.... S.....
............. ; WA .......
Telephone .........
Dynamically Assigned Active Account
Account number : 8498380070269681

On June 4, 2007 ; Google provided suscriber, registration and IP Adress log history for the e-mail adress
« dougbriggs123@gmail.com.
 Status : enabled
 Name Doug Briggs
 Created on : 03-Jun-2007
 Lang : en
 IP : 80.76.80.103
 LOGS : All times are displayed in UTC/GMT
dougbriggs123@gmail.com
 Date/Time IP
04-Jun-2007 05:47:29 am 81.27.207.243
04-Jun 2007 05:43:14 am 80.76.80.103
03-Jun-2007 06:19:44 am 80.76.80.103

On June 6, 2007, a SmartWhoIs lookup of IP Adress 80.76.80.103 resolved to :
Sonic S.R.L., Via S.Rocco 1, Grumello Del Monte, Italy
Phone +3903544912.., Email .....@sonic.it.
[Our service] connected to http://sonic.it, which displayed an Italian business webpage for Sonic SRL Internet service provider.

On June 7, 2007, a request t MySpace for suscriber and IP Adress logs for MySpace user
« Timberlinebominfo »
provided the following results :
 USER ID : 199219316
 first Name : Doug
 Last Name : Briggs
 Gender : Male
 date of Birth : 12/10/1992
 Age : 14
 Country : US
 City : Lacey
 Postal Code 985003
 region : Western Australia
 User Name : timberlinebombinfo
 Sign up IP adress 80.76.80.103
 Sign up Date : June 2007 7:49PM
 Delete Date N/A
 Loging Date : June 7, 2007 7:49:32:247 PM
 IP Adress 80.76.80.103

FBI Seattle Division contacted FBI Legate Attache Rome, Italy and an official request was provided to the Italian National Police requesting assistance in locating Sonic SRL and locating the compromized computer utilizing IP Adress 80.76.80.103.....

Compromized computers are generally infected with computer viruses, trojans, or other malevolent programs which can allow a user the ability to control computer(s) on the internet...
It is common for individuals engaged in illegal activity to access and control compromised computer(s) to perform malicious acts in order to conceal their originating IP adresses.

Based on training, experience, and the investigation described herein, I have concluded that using a CIPAV on the target MySpace « Timberlinebombinfo » account may assist the FBI to determine the identities of the individual(s) using the activating computer.....

The CIPAV will be deployed through an electronic messaging program from an account controlled by the FBI.

After the one-time search, the CIPAV will function as a pen registrer device and record the routing and destination adressing information for electronic communications originating from the activating computer.

The pen register will record IP adress, date, and times of the electronic communications, but not the contents of such communications, and forward the IP adress data to a computer controlled by the FBI for a period of 60 days.

CONCLUSION

assuming providing notice would ... jeopardize the investigation.... , I request permission to ask this court to authorize an additional delay in notification ... because there are legitimate law enforcement interests that justify an unannounced use of the CIPAV ...
I ask this court to authorize the proposed use of the CIPAV without the prior announcement of its use.

remarques finales :

L’investigation est très rapide, presque instantanée :
 le 4 juillet, le collège reçoit la menace
 le jour même, Google fournit les logs
 le 6 juillet, la police locale est informée de l’existence du compte « timberlinebombinfo »
 le jour même, MySpace fournit les logs
 le 6 juillet également, le FBI contacte la police italienne.

Le spyware n’espionne pas le contenu des messages :
l’autorisation n’est demandée que pour les données de connexion (les mêmes qui sont demandées par la LCEN), en aucun cas sur le contenu des communications. Apparemment le ’Patriot Act’ ne l permet pas.

L’autorisation est secrète :
C’est toute la différence entre l’autorisation demandée et un mandat de perquisition. L’agent du FBI demande l’autorisation de perquisitionner l’ordinateur, mais secrètement en en ouvrant silencieusement les serrures informatiques. Cela revient à demander l’autorisation d’entrer au domicile d’un suspect en son absence et à fouiller secrètement dans ses affaires.