Since EFF visited Ecuador three weeks ago, the investigation into open source developer Ola Bini has proceeded as we described then: drawn out, with little evidence of wrong-doing, but potentially compromised by acts of political theater outside the bounds of due process and a fair trial.
Last week — shortly after prosecutors successfully extended the investigation for another 30 days and informed Bini that they would also be opening new investigations into his taxes and visa status — Ecuadorean TV and newspapers published leaked imagery and conversations from evidence collected in the trial, together with claims from sources that this imagery proved Bini hacked the systems of Ecuador’s national communications provider, ECN.
The evidence offered was a screenshot, said to be taken from Bini’s mobile phone. The press reported that the phone was unlocked by police after seized security footage revealed Bini’s PIN when he used his phone in his own office elevator.
Telnet Is Not A Crime
Cursory examination of the actual screen capture reveals that both the leaker and the media misunderstand what the new evidence shows. Rather than demonstrating that Bini intruded into the Ecuadorean telephone network’s systems, it shows the trail of someone who paid a visit to a publicly accessible server — and then politely obeyed the servers’ warnings about usage and access.
Here’s the screenshot (with our annotations), taken from the evidence as it was finally submitted to the court.
Those knowledgeable about Unix-style command line shells and utilities will recognize this as the photograph of a laptop screen, showing a telnet session (telnet is an insecure communication protocol that has largely been abandoned for public-facing technologies).
Command line interactions generally flow down the page chronologically, from top to bottom, including both textual commands typed by the use, and the responses from the programs the user runs. The image shows, in order, someone – (presumably Bini, given that his local computer prompt shows “/home/olabini”) – requesting a connection, via Tor, to an open telnet service run on a remote computer.
Telnet is a text-only communication system, and the local program echoes the remote service’s warning against unauthorised access. The remote service then asks for a username as authorization. The connection is then closed by the remote system with a “timeout” error, because the person connecting has not responded.
It’s the Internet equivalent of seeing an open gate, walking up to it, seeing a “NO TRESPASSING” sign, and moving on.
The last line on the screen capture shows the telnet program exiting, and returning the user to their own computers’ command line prompt.
This is not demonstrative of anything beyond the normal procedures that computer security professionals conduct as part of their work. A user discovers an open telnet service, and connects to it out of curiosity or concern. The remote machine responds with a message by the owner of the device, with a warning not to log on without authorization. The user chooses to respect the warning and not proceed.
It’s the Internet equivalent of seeing an open gate, walking up to it, seeing a “NO TRESPASSING” sign, and moving on.
It’s notable also what was not leaked: the complete context surrounding the screenshot. The picture allegedly came from a series of messages between Ola and his system administrator, Ricardo Arguello, a well-known figure in the Ecuadorian networking and free software communities. The full conversation was omitted, except that that Bini sent this screenshot, to which Arguello replied, “It’s a router. I’ll talk to my contact at CNT.”
If you found a service that was insecurely open to telnet access on the wider Internet, that’s what you might reasonably and responsibly do — message to someone who might be able to inform its owner, with evidence that the system is open to anyone to connect. And under those conditions, Arguello’s response is just what a colleague might say back — that they would get in touch with someone who might be able to take the potentially insecure telnet service offline, or put it behind a firewall.
Certainly, that explanation fits the facts of this screenshot far better than the press reports that claims this is proof that Bini invaded the “entire network” of Ecuador’s national oil company, Petroecuador, and the former National Intelligence Secretariat.
EFF’s conclusions from our Ecuador mission were that — from its very beginnings in a hasty press conference held by the Interior Minister that spoke of Russian hackers and Wikileaks members undermining the Ecuadorean state — political actors, including the prosecution, have recklessly tied their reputations to a case with little or no real evidence. It’s disappointing, but not surprising, that Ola Bini’s prosecution continues to be publicly fought in the Ecuadorean press, with misleading and partial leaks and distractions, instead of in a courtroom, before a judge.
We trust that, when and if this evidence is presented in court, that judge will examine it more skeptically, and with better technical advice, than the prosecution or media has until now.