I wonder if anyone has ever sent a fake National Security Letter. The inability to speak about or verify these letters is concerning to me.
Seems like you could cause a lot of damage by sending a fake NSL ordering a company to send you private data. At minimum it would cost the company several thousand dollars in legal fees to determine its fake.
I doubt that these are simply sent through the mail - they may be called 'letters' but they're the kind of thing that would likely be delivered by Men In Suits with ID cards, or at the very least accompanied by a phone call if they're frequent enough that the parties would be familiar with the forms and process.
True, but who knows what a real MIB ID looks like? And do they have a phone line that you're allowed to call to verify these? Big companies might deal with the real guys regularly but not the smaller ones.
Trying to set up a situation where one could gain something (even just laughs) from attempting to send a fake NSL seems like a great way to end up in prison for the rest of your life. Not sure what laws that would violate (aside from impersonating), but I'd bet they'd find them.
One of John Le Carre's spy novels was build around this idea [0]. His novel happens to revolve around an anti-israeli activist tricked into spying for israeli intelligence, but at the core it's a study in the difficulties an individual faces trying to reliably validate the identity behind a well-funded "social engineering" attack.
NSLs aren't signed by "The FBI", but rather some Agent of the FBI, which includes their case number and contact information. Even if one had to cold call the FBI operator, they could probably ask for the investigator in charge of case "X1234" and get whomever they needed that had clearance to discuss the issue.
If someone forged an NSL, it would be arguably trivial to verify it's authenticity by doing a number of things, including walking into a local FBI office and asking to speak to someone about the case number, which is public enough information within the confines of the agency to get you someone who can talk about the case without having to describe the specifics of the letter over a phone to someone who might leak that information resulting in your arrest.
> speak to someone about the case number, which is public enough information within the confines of the agency
I have absolutely NO idea how you reach that conclusion. I know that legal arguments have been made for suppressing every single word of a NSL, and that even admitting the existence of the NSL is specifically prohibited by the law.
What makes you think that this query would not be a violation of the law?
Well, the WP article on NSLs has an EFF-sourced minimally blacked-out example of an NSL, which explicitly states "[blacked out communication details] or through use of a delivery service or secure fax...", and while there is an entreaty to not disclose it through routine mail or phone, it would seem there are mechanisms (including, presumably, asking your attorney to file paperwork about it and seeing if it gets sealed so fast your head spins) to communicate about it.
Imagine delivering a fake NSL that's forged using a random case-number that happens to correspond to a real, active, and classified investigation, though. (Not even necessarily one that ever issued an NSL.) You'd ask them to talk to you about the case number, and then they'd completely clam up, because it is a case but it's one that doesn't involve you at all, so they don't want to admit of its existence to you. Kafka-esque results.
Since we don't know the actual method for verification this is speculation, but people put too much faith in phone calls, and telecom CPE security is often lax. You might be able to spoof verification of an NSL by hacking the DOSA capability of the FBI's PBX and setting up an extension to forward to your phone. The recipient feels confident they called the real FBI. The attendant thinks they forwarded the call to an extension, but your phone gets the call.
Much easier to put the POTS equivalent of a proxy on the person's line (e.g. an LTE picocell hidden near their home, configured in a Stingray-like mode, running its own internal call-switching logic) than to hack the FBI's PBX, I'd think.
That requires equipment! Seriously though, the only picocells I know of that are "open" enough to turn into a poor man's stingray are 2g-only, and that will show up in the phone's connectivity status icon, and it assumes cell phone use. How very 21st c.
Now that most people have forgotten their desk phone, weak security in passwords and feature access is probably worse than it has ever been in enterprise CPE. DISA/DOSA is an end-user feature, so it's not as if you are hacking the PBX configuration. It's more like hacking an individual user's voicemail. Plus it has that retro cache of "what we were hacking before we had computers to hack."
might work for a small shop, but the bigger companies have legal departments who've already been served with warrants and met with feds. And who knows, maybe NSL's start with a conventional subpoena to appear at your local court room or FBI office for a meeting you cant refuse. In fact, I'd wager that they would be served in a federal courthouse before a judge informing the recipient of their (lack of any) rights.
I wish that were true... But there are actually no judges involved in this process, and trying to get them involved may end up with you on the wrong side of the court room.
"FBI office" at an address where no (real) FBI office exists (with a slightly obfuscated address that doesn't mention FBI by name, but something that sounds like a department in FBI but isn't, so that the postal service doesn't get suspicious).
Seems like you could cause a lot of damage by sending a fake NSL ordering a company to send you private data. At minimum it would cost the company several thousand dollars in legal fees to determine its fake.