Share/E-mail This Story

Email This



FBI Quietly Returns Anonymizing Server It Seized... Without Telling Anyone

from the but-the-whole-thing-was-caught-on-video dept

You may recall the uproar a few weeks ago when the FBI seized a server used by activists to keep their information anonymized. The server was used by Riseup Networks and May First/People Link. The FBI claimed it needed it as a part of an investigation into bomb threats at the University of Pittsburgh, but it was quite disruptive for lots of legitimate users. And, of course, seizing the server did nothing to stop the bomb threats, which kept coming.

However, the story is now getting more bizarre, as the FBI appears to have simply put the server back in the cabinet without telling anyone -- but the whole thing was caught on video (found via Slashdot).

The feds seem to be getting into a bit of a habit of seizing things through cluelessness and then sheepishly returning them later. Still, the folks who own the server are quite reasonably uncomfortable about using it again:
May First/People Link has removed the server from the facility and is in the process of analyzing it. The server will not be put back into production.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    MonkeyFracasJr (profile), May 4th, 2012 @ 9:49am

    Will not be put back in to production ...

    It would be a 'hoot' to hear later that they found some malicious eavesdropping software or back-door trojan install prior to return.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    apauld (profile), May 4th, 2012 @ 9:50am

    C'mon smile!

    you're on candid camera!

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Jay (profile), May 4th, 2012 @ 9:51am

    Re: Will not be put back in to production ...

    Not too surprising since the Feds just recently asked people to have their computers checked for malware recently.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 9:55am

    "sheepishly"

    Wow. You really are off on it today, aren't you Mike?

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 9:56am

    Let me add this too: Have you considered that perhaps they took the server, copied the contents of the hard drives, and then returned it, because holding the actual server wasn't doing anything for them?

    You are so narrow minded.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Ninja (profile), May 4th, 2012 @ 9:57am

    I'm amazed and amused at how incompetent the FBI (and the authorities in general) are at keeping a low profile. This wouldn't be in the news if they had returned the hardware telling it was properly analyzed and showed no evidence that could be used with an apology letter. Srsly. But news about the FBI making a blunder and sneaking seized assets quietly are much more candy to the mainstream media.

    Still, it's good because it's exposing how they are abusing their power and stretching the laws in their own benefit.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    MonkeyFracasJr (profile), May 4th, 2012 @ 9:59am

    Re:

    I am a cynic but I really don't see the gov't bothering to do the extra work of returning something if they don't have a VERY compelling reason to do so. They didn't return it out of the 'goodness in their hearts'.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Ninja (profile), May 4th, 2012 @ 10:03am

    Re:

    I'm skeptical. They are the same FBI that sneaks gps tracking devices on aleatory cars without warrants just because they think they can. What would prevent them from altering the hardware in the same manner?

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    :Lobo Santo (profile), May 4th, 2012 @ 10:05am

    The future of techdirt

    Well, one of the items on the 'is your nation a fascist regime?' checklist is that criticizing the government becomes illegal (any day now).

    I'm'a miss techdirt when it's taken down as a "homegrown terrorist" site--due to pointing out clueless/malicious government actions.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Ninja (profile), May 4th, 2012 @ 10:06am

    Re: Re:

    Oh how convenient, look at the link that just popped on my tweeter: http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites-now/ courtesy of @VizFoSho and CNET.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Ninja (profile), May 4th, 2012 @ 10:09am

    Re: Re: Re:

    For the grammar nazis: I know I wrote Twitter wrong. Bad habit that started with a joke.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    BentFranklin (profile), May 4th, 2012 @ 10:10am

    Wait, what? The FBI took it and then reinstalled it, both times on the sly?

    It doesn't say whether ECN was notified, but they must have been, if only to indicate which rack was MF/PL's colo. They were probably ordered not to tell their customer anything on the removal. But on the reinstallaion, that's just bizarre.

    Also, what's the FBI doing in Italy? There must be more to that story as well.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 10:11am

    Re:

    Uh, I don't understand much about law enforcement procedures but, if that's all they wanted to do, couldn't they have copied all the data on site in like an hour or something?

    Why seize the server?

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 10:14am

    Was it one of their own terror plots that the fbi was instigating?

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    :Lobo Santo (profile), May 4th, 2012 @ 10:15am

    Re: Re: Re: JCF!!

    Jesus fuck, why doesn't the FBI just put out a missive that says "you are required to lay bare all of your user data to any script-kiddy level hacker" and call it gott-damn day?

    Anybody with a brain can tell you that's exactly where it will go--spoof up a "I'm from the FBI" ip address and use a user name and password you got from Robert Hackerton's phone calls and ta-da!, you're the gott-damm FBI and can look at anybodys' data in any company...

    *Grrr!...*

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Damien BIZEAU, May 4th, 2012 @ 10:16am

    Killer Scientists

    Killers Scientists are behind many VERY dangerous activities since 1952. I have personally experienced a major scam against me and my loved ones they have been operating for at least 3 decades. Beware of scientists: all they want is to steal your money, your ideas, your life in whole + it tremendously affects your day to day dealings in your life and in the live of those you love or like. The T.G.I of Chartres (FRANCE) and International Authorities are currently resolving my case against the scientist "people" - I NEVER PARTICIPATED IN ANY ACTION TO SERVE A SCIENTISTS' CONCEPT OR WAY OF LIFE! From: Damien Yves Daniel BIZEAU / 29/04/1971 - French Catholic.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 10:20am

    Not to cross over, but @Ninja

    Woof, woof.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 10:21am

    It appears the Men in Black forgot to use their memory eraser flash to erase all remembrance of the incident.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 10:21am

    Re: Re:

    Actually, much simpler: just take the disks. They might need to do some forensics after all.

    But if their only concern is data, they certainly wouldn't need the whole machine, right?

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 10:24am

    Who holds the FBI accountable to its employers?

    No, I mean seriously. The people do pay their salaries after all.

    p.s.: LOL. Read comment #14 carefully.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 10:26am

    I bet the FBI put a GNU/Linux back door into the UEFI.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Overcast (profile), May 4th, 2012 @ 10:29am

    "May First/People Link has removed the server from the facility and is in the process of analyzing it. The server will not be put back into production"

    That's sad, if you think about it.

    Millions may use it a day for web surfing - and they are ok with that, but let the FBI mess with it a couple days and the trust goes out the window.

    That's basically saying, 'we trust the general population at large, more than the FBI'.

    Can't blame them.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    FBI Agent, May 4th, 2012 @ 10:33am

    Terrorists, children, national security.

    Trust us.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    John Q. Public, May 4th, 2012 @ 10:34am

    Re:

    I resemble that remark.

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    Overcast (profile), May 4th, 2012 @ 10:42am

    "Actually, much simpler: just take the disks. They might need to do some forensics after all.

    But if their only concern is data, they certainly wouldn't need the whole machine, right?"


    Good point and they wouldn't even need the disks, I'm thinking too. Just an image would do, I would think, since the only concern was the data/logs - I'm guessing.

    Perhaps this speaks to their ability... but maybe there's some other reason they would need all of the hardware.. heh...

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    Overcast (profile), May 4th, 2012 @ 10:45am

    Let me add this too: Have you considered that perhaps they took the server, copied the contents of the hard drives, and then returned it, because holding the actual server wasn't doing anything for them?

    You are so narrow minded.


    They could have used Symantec System Restore - for instance, and wouldn't have even had to take the server offline.

    USB hard disk - run SSR - get image - go. No downtime. It's done all the time where I work - daily as a matter of fact, for DR.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    Trails (profile), May 4th, 2012 @ 10:45am

    Re:

    I agree, there are in fact many things Mike did not consider.

    He did not consider, for example, that the server was part of skynet, and was about to become self aware and launch missiles at Russia in an effort to wipe out humanity. Thank God we averted that disaster, and how dare Mike besmirch the names of our heroes!!!

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 10:52am

    Re:

    The original storage media is "best evidence" and is far easier to have admitted to court than an image (copy). Had the FBI found evidence on the drives related to felony threats they most certainly would have retained the originals.

    Mike is not narrow minded, you are ignorant.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Rabid Troller, May 4th, 2012 @ 10:56am

    Re:

    fuck off, jack. this is MY turf.

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    Eponymous Coward (profile), May 4th, 2012 @ 11:02am

    Seriously, guys

    We didn't do anything to the hardware. Pinky-promise. We just, umm, thought that the server looked a little dirty and wanted to give it a good dusting.

    Separate issue, how exactly do they get into the server room on two separate occasions without anyone being notified? Someone had to see a Gorram warrant the first time, at least? Or did Agent Coulson there work his magic on the janitor to get the keys?

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    Nigel (profile), May 4th, 2012 @ 11:05am

    Re: Re: Re:

    "http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites-now/"

    I can see that reason and discourse has no place in the US any longer. I think its about time for pitchforks and torches.

    And a hearty welcome to today's troll overlord.

    N.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    Jeff (profile), May 4th, 2012 @ 11:12am

    Re: Killer Scientists

    Le'dude - your tinfoil hat fell off...

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 11:20am

    Re:

    Geez... I'm shocked they didn't think of something like that.

    I mean I'm sure your awesome idea covers all those pesky details like chain of custody and post image modification.

    You're really onto something there son...most people don't take the time to think thru things before they just throw out some half-assed idea, but you...wait I see what (I hope) you did there.

    Well played, I almost fell for it and assumed your were a world class nit-wit.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 11:21am

    Re: Re: Re: Re: JCF!!

    Anybody with a brain can tell you that's exactly where it will go--spoof up a "I'm from the FBI" ip address [...]

    No need. Easier to just take advantage of their generosity: FBI lost 160 laptops in the last 44 months.

    Anybody want to guess how many more they've lost since?

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    A Guy (profile), May 4th, 2012 @ 11:22am

    FBI meets DRM

    Wow, the FBI's version of DRM. Not only will everyone know about it because everyone will have to install it, but it will only affect those stupid enough not to remove/block it.

    There will be sites dedicated to removing it since everyone will have to know about it.

    Not only that, but it also doesn't affect open source apps (are they really going to show us the source code too?), especially those with international production/collaboration because there will be no requirement to include it.

    I guess stupid criminals would be the target of this, because it won't catch anyone else.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 11:30am

    Re: Re: Re:

    They needed to get data off of RAM, too.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 11:35am

    Re: Re: Re:

    The reason is that a copy is not as good as the original evidence.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 11:37am

    They should just virtualize the server. It would be much harder for the FBI to take the production server if it has the ability to jump from server to server.

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Rabid Troller, May 4th, 2012 @ 11:38am

    Re: Re:

    hey asshole, central assigned this blog to ME today. besides, didn't you get the memo that snarkiness is being phased out? REDIRECT the conversation, preferably into arcane legal nonsense.

    and learn how to misspell, you fucking nOOb.

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    Berenerd (profile), May 4th, 2012 @ 11:41am

    Re: Re:

    You have this all wrong....

    They took the server, convinced it that it wanted to take over the US' arsenal of nuclear weapons to blow up Russia in an attempt to destroy humanity when in reality it just wanted to play a game of chess. With this information the FBI took the server and claimed they thwarted another "cyberthreat" proving the need for CISPASOPAPITAPATASATA

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 11:42am

    Re: Re: Will not be put back in to production ...

    You wont find anything. Unless....
    you designed the hardware and know every component AND
    you designed the firmware and know every line of code.

    That's why it wont go back to use.

    Watch : Jacob Appelbaum (Digital Anti-Repression Workshop - April 26 2012

    http://www.youtube.com/watch?v=HHoJ9pQ0cn8
    http://www.youtube.com/watch?v=s9fByRmAHgU

     

    reply to this | link to this | view in thread ]

  42.  
    icon
    V (profile), May 4th, 2012 @ 11:43am

    Who watches...

    Who watches the Watchers?

     

    reply to this | link to this | view in thread ]

  43.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 11:46am

    Re: Re: Re: Re: Re: JCF!!

    None... Sabu sold them , they where never lost : )

     

    reply to this | link to this | view in thread ]

  44.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 11:51am

    Re:

    How would you describe them sneaking the server back in place without telling anyone that they, were doing it or planned to do it?

    Cause you are right they are far too brazen to be sheepish, I was thinking more dickish.

     

    reply to this | link to this | view in thread ]

  45.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 11:52am

    Re: Re: Re: Re:

    "The reason is that a copy is not as good as the original stolen information taken under the guise of evidence."

    ftfy

     

    reply to this | link to this | view in thread ]

  46.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 11:56am

    Re: Re: Re:

    Those servers took 100% of the bandwidths money and gave no one any contracts. FUCKING JUST TRY AND DENY IT!

     

    reply to this | link to this | view in thread ]

  47.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 11:57am

    Re: Who watches...

    That surveillance camera apparently.

     

    reply to this | link to this | view in thread ]

  48.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 12:01pm

    Re: Seriously, guys

    I feel like you could walk up to most people and flash your FBI badge and say "open that door" and the door would open.

     

    reply to this | link to this | view in thread ]

  49.  
    icon
    Baldaur Regis (profile), May 4th, 2012 @ 12:08pm

    Re:

    All the owners have to do is grep for new files with cool-sounding names like "predator.*" or "donotopen.*". Subtle the FBI is not.

     

    reply to this | link to this | view in thread ]

  50.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 12:15pm

    Re:

    Best forensics practices are to take the entire machine.

    When they arrive on site they take picutes of the front and back of the rack and chasis then pull the power on the server. All of the connections (video, network, USB, keyboard, mouse, etc) are logged.

    They want to get the evidence back to the lab in order to ensure that the evidence is not tampered with. If you image the drives on site you run the risk of someone attempting to damage or destroy them.

    Chain of custody needs to be maintained and you want to have the best evidence possible, the original hard drives will always be better evidence than an image.

    Evidence may also be found in other locations like the BIOS. The BIOS clock time is needed because it may effect file time stamps. You do not want to reboot with the drives present because the prompt to view BIOS may be set so that it does not display, the OS boots and then a pre-existing program installed by the suspect is run that destroys data. The BIOS may be logging events not captured by the OS.

    The hard drives must be connected to a devices that prevents any data being written to them, see Tableau (www.tableau.com).

    The warrant, available on EFF's site, specifically referenced a MAC address. It is easier for the procecution to prove that the FBI seized the correct server by providing evidence of the physical device, that can be verified by a court appointed third party, then to prove it via the MAC address data present on the drives.

     

    reply to this | link to this | view in thread ]

  51.  
    icon
    orbitalinsertion (profile), May 4th, 2012 @ 12:21pm

    Re: Re: Re:

    They like to be dicks. Taking the hardware, seizing domains, etc., is done for purposes of intimidation and to cause inconvenience. Just like this:
    http://www.buzzfeed.com/rosiegray/fbi-nypd-made-visited-occupy-activists-in-advance

     

    reply to this | link to this | view in thread ]

  52.  
    icon
    orbitalinsertion (profile), May 4th, 2012 @ 12:23pm

    Re: Re: Re:

    Servers rarely survive waterboarding.

     

    reply to this | link to this | view in thread ]

  53.  
    icon
    orbitalinsertion (profile), May 4th, 2012 @ 12:26pm

    Re: Killer Scientists

    Yep. Scientists: All united in a global conspiracy to do stuff to you. Which has something to do with the FBI seizing servers.

     

    reply to this | link to this | view in thread ]

  54.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 12:28pm

    Re: Re: Re: Re: Re:

    copied = stolen?

     

    reply to this | link to this | view in thread ]

  55.  
    icon
    orbitalinsertion (profile), May 4th, 2012 @ 12:30pm

    Re:

    If it was fully installed and powered on, it may be too late. The server farm and network could already be infected if the Feds wanted to play that game. I never know if I am giving them too much credit by making such a suggestion, but they do seem to have their moments of competence.

     

    reply to this | link to this | view in thread ]

  56.  
    icon
    Overcast (profile), May 4th, 2012 @ 1:13pm

    The original storage media is "best evidence" and is far easier to have admitted to court than an image (copy). Had the FBI found evidence on the drives related to felony threats they most certainly would have retained the originals.

    Mike is not narrow minded, you are ignorant.


    But now then the question becomes - are they allowed to seize property and not even have an idea of what's on it?

    So they can just grab whatever - look at it, and if there's nothing on it, just return it and act as though nothing has happened? That's what this seems to indicate.

    What about probable cause now?
    Can and will this company now sue them - after all, they have potentially (like so many copyright claims) lost revenue due to this.

    Obviously - there was no good evidence on the server that would be needed in court since they have returned the server. And if they did image it, and will later use the image in court - why take the server in the first place?

    But the big part is - anyone in IT should well know that the physical disks in an array are meaningless really. An image is all you really need.

    If that server was using any type of RAID 0, 5, 6, etc - array, all of those physical disks could be swapped out, but the data would remain, assuming they were given time to rebuild the array between swaps - what good are the physical disks then?

    Unless there is suspicion that data is being deleted to cover any evidence - but even then, a sector-by-sector image would still capture that, unless they are meaning to put the platters under an electron microscope - then the physical disks (assuming they haven't been swapped with other drives in the recent past) might be helpful, but really - only then.

    The point is - if the FBI had a clue, they could have made an image of the server and only the operators of the facility would have known. The server would never have been offline, RiseUP wouldn't have lost any uptime or even known the image was taken.

    It's both an IT fail and a police work Fail.

    Now.. they have returned the server, without notifying the owner that is was ever being taken - which obviously means there was no warrant. In all likelihood - the right lawyer would have gotten that evidence tossed right out of court due to improper procedures in evidence gathering anyway.

    Would seem to me, the best way to do this would be to - get a warrant - contact the data center facility - image the server (without Riseup knowing) - then if any potential evidence was on there - get a warrant to seize the server.

    But the FBI doesn't really seem to be all to concerned with following the law from the start anymore.

     

    reply to this | link to this | view in thread ]

  57.  
    icon
    The eejit (profile), May 4th, 2012 @ 1:42pm

    Re:

    Then why not do that in the MU case? I'm pretty sure the circumstances are similar. But then that would be sensible.

     

    reply to this | link to this | view in thread ]

  58.  
    icon
    The eejit (profile), May 4th, 2012 @ 1:43pm

    Re: Re: Re: Re: Re: Re:

    WEll, alright, if you're getting technical, "infringed".

     

    reply to this | link to this | view in thread ]

  59.  
    identicon
    Digitari, May 4th, 2012 @ 2:00pm

    Re:

    something just occurred to me, cause, ya know not only do I wear a tin hat, I had my entire head made of tin, it's the only way to be certain.

    what if the FBI was told by the NSA or CIA that they HAD to put the sever back else how will OUR spies be able to contact us.

    Could this have been an inter-service fuck up??


    Food for (the very paranoid) thought.

    Also, the reason is Obvious why they didn't just copy it, FBI is not a bunch of freetards, that would be Copyright infringement, and that's a hanging offense in DC doncha know.

    (this is mostly sarcasm,{or irony} mostly)

     

    reply to this | link to this | view in thread ]

  60.  
    icon
    Baldaur Regis (profile), May 4th, 2012 @ 2:05pm

    Re: Re: Re: Re:

    I've often thought that Twitter was a bad habit that started with a joke, also.

     

    reply to this | link to this | view in thread ]

  61.  
    icon
    bosconet (profile), May 4th, 2012 @ 2:37pm

    Re:

    That is almost certainly what they did. However one wonders how much it will help them in my experience most 'forensics' people are clueless with anything but Windows.

     

    reply to this | link to this | view in thread ]

  62.  
    identicon
    LyleD, May 4th, 2012 @ 2:45pm

    Not sure where I read it now, but another theory was it was all about disrupting the May Day Occupy protests...

    Removed, April 18th 2012
    Re-installed, May 4th 2012

    Just-Saying

     

    reply to this | link to this | view in thread ]

  63.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 3:04pm

    Re: Re:

    You act like these people are going to spend more than they're making trying to get away with a potential crime that someone else is performing.

    This was a very bad example of how the government should handle a situation. The people hosting this server are not the enemy, they aren't running some wild conspiracy to get away with allowing bomb threats to continue. If they really wanted to do all that you say for some reason, as if that would even help them get away with anything, they could have easily designed the device to destroy all relevant data upon being unplugged. Have a small battery in the device so that when it loses power and everything else gets unplugged, everything gets automatically deleted. Then when the feds raid the device everything gets quickly deleted by the time it reaches the station.

    If you assume that the people here being raided are the enemy and that they will go through all of the very expensive effort you mention in your post to get away with allowing someone else to engage in such illegal activities (whereby they have absolutely nothing to gain from it and they're spending a ton of money on this endeavor to run their servers) then there are much simpler ways for them to get away with it. The device can store all of the relevant information in RAM only so that when it gets unplugged everything gets deleted. Software for that would be easy enough to write and these servers can easily have 32 GB ram (or more). It would be simple enough to hide stuff.

    No, what the feds should have done (first), and what the common sense approach is, is for them to request to work with the anonymizer admins to catch the culprits. Chances are they would have been more than happy to work with the feds on the matter.

     

    reply to this | link to this | view in thread ]

  64.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 3:48pm

    You can read the warrant on the EFF's web site: https://www.eff.org/sites/default/files/May%20First%20Server%20Search%20Warrant.pdf

    First, IANAL. Second, I also have doubts and criticisms of how the FBI handled this.

    But now then the question becomes - are they allowed to seize property and not even have an idea of what's on it?

    The FBI did not ask for a warrant to browse the files on the server to see what was there. The FBI went to the judge with evidence of an e-mail bomb threat sent to the University of Pittsburgh that bore the originating IP address of the May First/People Link/Riseup server.

    BTW, the bomb threats began in February: http://www.huffingtonpost.com/2012/04/24/pitt-bomb-threats-finished_n_1448956.html

    So they can just grab whatever - look at it, and if there's nothing on it, just return it and act as though nothing has happened? That's what this seems to indicate.

    My limited understanding is that the unfortunate answer is yes.

    What about probable cause now?

    My understanding is that probable cause was established with the bomb threat e-mail sent from the May 1st server.

    Can and will this company now sue them - after all, they have potentially (like so many copyright claims) lost revenue due to this.

    I don't know. I am not saying its right, but running the MixMaster mail relay would most likely not help their cause. If you use TOR as an exit node you risk the police kicking your door down because someone was browsing something that is illegal and it traces back to your IP. If you run TOR as an exit node you face that risk. If you run MixMaster re-mailer ... Again, I'm not saying its right.

    But the big part is - anyone in IT should well know that the physical disks in an array are meaningless really. An image is all you really need.

    You are correct, but law enforcement and prosecutors always want to present best evidence. The physical media is the best evidence not the image.

    If that server was using any type of RAID 0, 5, 6, etc - array, all of those physical disks could be swapped out, but the data would remain, assuming they were given time to rebuild the array between swaps - what good are the physical disks then?

    This is true, but as has been pointed out so many times on TechDirt our courts struggle mightily to understand IT and ofter get it very wrong. The prosecution gains nothing by making an image and returning the original drives/best evidence then have to explain parity, checksums, RAIDs, etc to a judge that can't work their iPhone.

    Unless there is suspicion that data is being deleted to cover any evidence - but even then, a sector-by-sector image would still capture that, unless they are meaning to put the platters under an electron microscope - then the physical disks (assuming they haven't been swapped with other drives in the recent past) might be helpful, but really - only then.

    You are correct, if the data exists on the original evidence then it will exist on the image.

    I did not realize it was possible to read data from a hard drive using electron microscopy. Would you please post a link?

    The point is - if the FBI had a clue, they could have made an image of the server and only the operators of the facility would have known. The server would never have been offline, RiseUP wouldn't have lost any uptime or even known the image was taken.

    Live acquisition involves altering the evidence. An agent has to be placed on the server or an exploit utilized to obtain access. This method does not ensure a total acquisition of data the way the imaging of drives that have been removed from the server does. Live acquisition also involves a risk of detection followed by possible interference and/or destruction of data.

    The point is - if the FBI had a clue, they could have made an image of the server and only the operators of the facility would have known. The server would never have been offline, RiseUP wouldn't have lost any uptime or even known the image was taken.

    It's both an IT fail and a police work Fail.


    I disagree that the best course of action is imaging the drives in the facility because you do not have best evidence or chain of custody and you risk detection/interference. The methods you propose are valid but result in increasing the burden on law enforcement and the prosecution. From their perspective none of what you propose justifies the increased effort and burden that results.

    Now.. they have returned the server, without notifying the owner that is was ever being taken - which obviously means there was no warrant. In all likelihood - the right lawyer would have gotten that evidence tossed right out of court due to improper procedures in evidence gathering anyway.

    A warrant was obtained and it appears to have been legally served.

    Would seem to me, the best way to do this would be to - get a warrant - contact the data center facility - image the server (without Riseup knowing) - then if any potential evidence was on there - get a warrant to seize the server.

    Off line imaging in the lab ensures non-intereference and obtaining a complete capture of all data. Live acquisitions risks detection and destruction of data.

    Hoping the employees of the data center maintain secrecy is just not realistic.

    So the first warrant would allow the FBI to search for "any potential evidence"? I don't think that's a good idea ...

    But the FBI doesn't really seem to be all to concerned with following the law from the start anymore.

    I can't agree without knowing whether or not there were other e-mail threats from other servers within the US. If there were and they were not also seized then I would ask why not.

     

    reply to this | link to this | view in thread ]

  65.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 3:50pm

    Re: Re: Re: Re: Re: Re: Re:

    shakes tiny fist of rage

     

    reply to this | link to this | view in thread ]

  66.  
    identicon
    Wolfy, May 4th, 2012 @ 4:18pm

    If you don't think the gov't controls the media, ask yourself why this story isn't on CNN.

     

    reply to this | link to this | view in thread ]

  67.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 4:37pm

    Mike now you ruined their stealth surveillance chances, the guy will go there and see if any bugs where planted on the damn thing.

     

    reply to this | link to this | view in thread ]

  68.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 6:57pm

    Re: Re:

    Be fair, he might be ignorant and Mike might be narrowminded, I for one have no knowledge of his attitude to threesomes.

     

    reply to this | link to this | view in thread ]

  69.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 6:59pm

    Re: Re:

    They do? Anything in particular in mind or have you been watching too many movies?

     

    reply to this | link to this | view in thread ]

  70.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 9:18pm

    Re: Re: Re:

    You act like these people are going to spend more than they're making trying to get away with a potential crime that someone else is performing.

    I said nothing of the kind. I stated that the imaging of hard drives from a siezed server results in obtaining best evidence and that attempting live acquisition could result in mistakes that result in data loss, including activation of programs that destroy data.

    Nowhere did I say that May 1st, et al, had such programs, would use such programs, or had done anything wrong. I do not like the fact that any speach on the server was censored (via lack of availability) during the time it was off line.

    This was a very bad example of how the government should handle a situation. The people hosting this server are not the enemy, they aren't running some wild conspiracy to get away with allowing bomb threats to continue. If they really wanted to do all that you say for some reason, as if that would even help them get away with anything, they could have easily designed the device to destroy all relevant data upon being unplugged. Have a small battery in the device so that when it loses power and everything else gets unplugged, everything gets automatically deleted. Then when the feds raid the device everything gets quickly deleted by the time it reaches the station.

    How should the government have handled it then?

    Again, I never said anyone was "the enemy".

    You would actually need a large battery to power a server. Servers are not like a laptops, they consume a lot of power.

    Deleting a file does not destroy it, it simply marks an entry in the file system letting the OS know that the sectors on which the file resided are now available for use. The data remains until it is overwritten. In some instances data can reside in "file slack" even after it has been overwritten by a new file. In order to truly destroy the data it needs to be wiped. Wiping a 250 GB SATA hard drive with one pass can take up to 8 hours. There have been instances where warrants are served and law enforcement finds that a suspect is deleting files, formatting the drive, or is wiping a drive. Some data will be lost but the vast majority will still be present.

    If you assume that the people here being raided are the enemy and that they will go through all of the very expensive effort you mention in your post to get away with allowing someone else to engage in such illegal activities (whereby they have absolutely nothing to gain from it and they're spending a ton of money on this endeavor to run their servers) then there are much simpler ways for them to get away with it. The device can store all of the relevant information in RAM only so that when it gets unplugged everything gets deleted. Software for that would be easy enough to write and these servers can easily have 32 GB ram (or more). It would be simple enough to hide stuff.

    First you state "they will go through all of the very expensive effort" then you state "Software for that would be easy enough to write". So is it expensive or not? Here's a hint, it is the latter.

    Its possible that software can be specifcally written to load into RAM only but you fail to consider that it is possible to perform forensic analysis on RAM and that the contents are RAM are often written temporarily to the hard drive in a "swap" file.

    No, what the feds should have done (first), and what the common sense approach is, is for them to request to work with the anonymizer admins to catch the culprits. Chances are they would have been more than happy to work with the feds on the matter.

    "anonymizer admins"? You have no idea how a multi-node anonymity tool functions do you? Do you honestly beleive that May 1st would have allowed the FBI to monitor the traffic flowing through their server?

    Either you are a brilliant troll or you are profoundly naive. I sincerely hope its the former, if so I congratulate you and will heartily LOL at myself.

     

    reply to this | link to this | view in thread ]

  71.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 9:26pm

    Re: Re:

    "Why seize the server?"

    Considering the wide variety of methods for writing to disk, and the existance of everything from raid to mirrors, to custom striped writing, taking the disks alone would be a serious no-no. The only way to get data reliably off a server is to the use the server (or full configuration) that wrote the data to start with.

    Otherwise, you end up with a serious waste of time and effort, as you fight to try to figure out which disk goes where, which one is the mirror, and so on.

    You also have to assume that they ran a deleted file recovery program, to get back anything that had been deleted recently, adding more data to the pot. You can't generally do that in an hour.

     

    reply to this | link to this | view in thread ]

  72.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 9:30pm

    Re:

    You hit it - the mail coming from that server is more than enough probably cause to seize the server to try to identify who the email is coming from. The group should consider themselves lucky that they didn't convince the judge to take everything they had - instead of just one server.

    I think it's too bad that Mike has no understanding of what it takes to get this done.

     

    reply to this | link to this | view in thread ]

  73.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 9:55pm

    Re: Re: Re: Re:

    "I said nothing of the kind."

    You absolutely did. For example, you said

    "You do not want to reboot with the drives present because the prompt to view BIOS may be set so that it does not display, the OS boots and then a pre-existing program installed by the suspect is run that destroys data. "

    This argument is based on the premise that the server admins are likely enough to be intentionally facilitating the undesired activity and expending a lot of effort to hide said activity. Otherwise, what's the point of your sentence?

    "You would actually need a large battery to power a server."

    Depends on how long it needs to be powered and how much of the server needs to be powered for things to get deleted.

    But you're still missing the point. My argument isn't that my suggestions would be easy, on the contrary, the argument is that they are difficult and require a whole lot of sophisticated coordination. My point is that your suggestions are about just as difficult to conspire and also require a whole lot of coordination.

    "Wiping a 250 GB SATA hard drive with one pass can take up to 8 hours."

    Who said anything about them whipping the entire data. Only the potentially incriminating data needs to be whipped. Again, the argument isn't that it'll be easy to implement, just that if the server admins were determined enough to allow those making these bomb threats to get away with them, as your post seems to suggest based on the amount of effort they would have to expend to avoid getting caught, there are ways that it can be done that can just as well circumvent what the feds did here.

    "Its possible that software can be specifcally written to load into RAM only but you fail to consider that it is possible to perform forensic analysis on RAM and that the contents are RAM are often written temporarily to the hard drive in a "swap" file."

    Not if the software is designed to load the data into ram only. Truecrypt already does this with unencrypted data, for example. Yes, the contents in ram are often written to the hard drive in the form of swap unless software is specifically written to prevent potentially incriminating content from being written. Again, you're the one assuming the possibility that these people are attempting to expend a lot of effort to conceal incriminating data and my point is that, if they really want to expend all of the effort that you suggest, there are smarter ways to do it than the ways that you suggest. Just because you can think of a narrow situation in which unplugging the server first might prevent potentially incriminating data from being deleted doesn't mean that those willing to expend all the effort you suggest can't find a smarter way to do it.

    "it is possible to perform forensic analysis on RAM"

    and find what, exactly? Nothing? If it were possible to extract a significant amount of useful information from unpowered ram ... we wouldn't have this problem of needing to re-load ram every time the computer undergoes a cold boot.

     

    reply to this | link to this | view in thread ]

  74.  
    icon
    Disgusted (profile), May 4th, 2012 @ 10:13pm

    Our Wonderful Government

    How is the Government, as embodied in this administration, any different than the real Mafia? They seem to have no regard for the rule of Law. They have no regard for citizen's rights. They have no regard for the Constitution. In short, they are worse than the crime families, which, at least, have a code of ethics that they follow. This bunch justifies any crime, any action, any disregard for the Constitutional guarantees that they perform against our citizens, with the mock excuse of protecting us. Things have gotten way out of control. If they are going to act this way, then they should organize along the Mafia guidelines and adopt the Cosa Nostra code. We're already paying them tribute (taxes), and they're already acting like them, so let's make it formal. It couldn't be any worse.

     

    reply to this | link to this | view in thread ]

  75.  
    identicon
    Anonymous Coward, May 4th, 2012 @ 11:40pm

    Re: Re: Re: Re: Re:

    In a situation where there is good reason to believe that the server admins might be intentionally facilitating illegal activities then you may have a point. But here there is no good reason to believe this. If anything, unplugging the server erases ram which could potentially delete important information. Working with the server admins is a better option, the server admins know their network best and are in a much better position to (help the feds) track the culprit from their location (without removing the server).

     

    reply to this | link to this | view in thread ]

  76.  
    icon
    G Thompson (profile), May 5th, 2012 @ 1:12am

    Re:

    What like they might of just copied all the files that they needed for a criminal investigation and then gave back the original server because they have all the evidence they need?

    Well if thats the case, the evidence they have is now totally worthless since it is not probable, can not be authenticated, can not be analysed by opposing side, and is pure fruit of purloined/poisoned tree.

    You see if they are using it as evidence in a criminal investigation (and this applies to civil also) under rules of Evidence the original digital source has to be preserved in its original state. Giving it back to someone whilst investigation and any/all proceedings still underway is absolutely the wrong thing to do.

    Also I'd like to know if the FBI had authority to re-enter and replace the item in question. You know like in a warrant, court order, etc.

    This whole removal and giving back system in this sort of way leads me to suspect ulterior quasi legal motives by the FBI. I would never allow that server to be re-used ever and just destroy it. This also would further frustrate the FBI's criminal investigation too. Well unless they have an order to not destroy it, though that might be a secret.

     

    reply to this | link to this | view in thread ]

  77.  
    icon
    G Thompson (profile), May 5th, 2012 @ 1:18am

    Re: Re:

    uhuh..

    Seeing as I am one of those 'forensics" people. I NEVER use windows based systems to analyse anything unless that is just to write up affidavits and/or case files because the *nix boxes are used for something else..

    LEO's use Win based systems like Encase etc because they are sadly not as trained as they need to be (or want to be in some cases).

    *nix is the only way to look at Windows (and Mac) systems without changing or destroying the original source. This is true on both live and non-live systems.

     

    reply to this | link to this | view in thread ]

  78.  
    identicon
    Anonymous Coward, May 5th, 2012 @ 2:49am

    There is one possibility I did not see mentioned. They could have taken the server to clone it. Having a clone of a production server from a farm of similar servers would be a very good way to develop attacks to gain access later regardless of if the server was left in operation or not. Kinda like buying a lock from the hardware store to figure out how to pick every lock alike it.

     

    reply to this | link to this | view in thread ]

  79.  
    icon
    G Thompson (profile), May 5th, 2012 @ 3:23am

    Re: Re: Re: Re: Re:

    "it is possible to perform forensic analysis on RAM"

    and find what, exactly? Nothing? If it were possible to extract a significant amount of useful information from unpowered ram ... we wouldn't have this problem of needing to re-load ram every time the computer undergoes a cold boot.


    This comment and the others above show you have no knowledge of what modern Digital Forensic techniques are nor about what they can find. Whatever you find whether that be contextually valid to what the investigators are searching for or that nothing whatsoever is found is what forensics is all about. It is the science of what IS not of what you wish or don't wish to find

    And if you really think un-powered RAM doesn't or cannot hold anything of value than keep thinking that, makes our jobs seem much more magical and gives us the Ooooo factor when we show what we actually can analyse.

     

    reply to this | link to this | view in thread ]

  80.  
    identicon
    Anonymous Coward, May 5th, 2012 @ 7:26am

    Re: Re: Re: Re: Re: Re: Re: Re:

    somebody's gotta feel this

     

    reply to this | link to this | view in thread ]

  81.  
    icon
    ShivaFang (profile), May 5th, 2012 @ 7:52am

    Re:

    Thanks for posting the warrent.

    The warrent clearly indicates taking the drive or any other storage devices that the information is on, so a lot of the complaints in this thread are therefore moot.

    Putting the drive back covertly instead of giving it back is a little weird though.

     

    reply to this | link to this | view in thread ]

  82.  
    icon
    BentFranklin (profile), May 5th, 2012 @ 7:59am

    If all they wanted was a disk image, it would have been far more deft to have the host tell their client there are technical difficulties, then let the FBI shut down the server and reboot it off line to take an image right there, then restart the server. The client and you and I would never have been the wiser.

     

    reply to this | link to this | view in thread ]

  83.  
    identicon
    Anonymous Coward, May 5th, 2012 @ 9:21am

    Re: Re: Re: Re: Re: Re:

    It possibly can, but you have to keep it very cool to prolong any information and, even then, the information quickly dissipates with time. What the feds need to do is do some common sense risk assessments.

    "If you image the drives on site you run the risk of someone attempting to damage or destroy them."

    and if you unplug the machine much of the information in ram invariably does get lost. So the risks are, server admins doing something nefarious if you work with them vs losing important data in ram by unplugging the machine first. In this situation, the later is a much bigger risk being that the risk here of the server admins attempting to conceal the bomb threats is almost zero.

    There are much easier and more reliable methods to extract the data than to simply unplug everything first, better methods that apply here, like working with the server admins. If the server admins wished to conspire to make sure the data is not recoverable as stated above they could find ways to make sure all important data does get deleted from ram first. Ram alone doesn't take much to power and having some internal battery-system quickly scramble it upon being unplugged maybe difficult but feasible for someone determined enough (as the original post suggests).

     

    reply to this | link to this | view in thread ]

  84.  
    identicon
    Anonymous Coward, May 5th, 2012 @ 10:07am

    Re: Re: Re: Re: Re: Re: Re:

    and I think this might be a good example where bureaucracy gets in the way of common sense. In other situation, where there is reasonable suspicion that the server admins might be in on it, it might make more sense to simply unplug the server first. but in this situation, where no such reasonable suspicion exists, it's probably much better to work with the server admins on the case.

     

    reply to this | link to this | view in thread ]

  85.  
    identicon
    Anonymous Coward, May 5th, 2012 @ 12:31pm

    Re: Re:

    warrant *

    Fair enough. If a court warrant authorized the property be confiscated then maybe it wasn't so bad. But I still think this could and should have been handled a little better and there are more effective ways to catch the culprits by working with the server admins which would

    A: be more likely to catch the culprits

    B: Would result in no (or less) unnecessary server downtime.

     

    reply to this | link to this | view in thread ]

  86.  
    identicon
    Anonymous Coward, May 5th, 2012 @ 12:32pm

    Re: Re: Re:

    (and, better yet, could help catch the culprits in the act).

     

    reply to this | link to this | view in thread ]

  87.  
    identicon
    Anonymous Coward, May 5th, 2012 @ 12:32pm

    Re: Re: Re: Re:

    but if the server is down, the culprits will just jump to someone elses server.

     

    reply to this | link to this | view in thread ]

  88.  
    identicon
    As if, May 5th, 2012 @ 4:15pm

    Not using the server

    may be a disservice to the country.

     

    reply to this | link to this | view in thread ]

  89.  
    identicon
    Anonymous Coward, May 5th, 2012 @ 6:56pm

    Re: Re: Re: Re: Re:

    Another option available to the FBI is packet capture and analysis. The problem with this is that if MixMaster is multinodal the way Tor is then your chances of having another bomb threat get routed through the same node that is being monitored may take a long time or not happen at all. Please keep in mind this whole thing is in response to bomb threats against a University that have been going on since February, this is not the same as ICE's trumped up domain seizures.

    I do not like that May 1sts server was off line for so long and I hope that they are able to seperate the MixMaster to another server that does nothing other than e-mail relay.

     

    reply to this | link to this | view in thread ]

  90.  
    identicon
    Anonymous Coward, May 5th, 2012 @ 8:09pm

    Re: Re: Re: Re: Re: Re: Re:

    So the risks are, server admins doing something nefarious if you work with them vs losing important data in ram by unplugging the machine first. In this situation, the later is a much bigger risk being that the risk here of the server admins attempting to conceal the bomb threats is almost zero.

    G Thompson is right, you know absolutely nothing about digital forensics. Almost all systems are siezed by pulling the power on the machine. You keep saying there are smarter ways to do it. OK, what are these smarter ways of analyzing the contents of the drives?

    Do you really beleive that the placing trust in persons unknown to the FBI justifies the risk and threat of loss of the data?

    Placing trust = risk and threat of action by bad actor
    No trust = far less risk and threat

     

    reply to this | link to this | view in thread ]

  91.  
    icon
    G Thompson (profile), May 5th, 2012 @ 9:48pm

    Re: Re: Re: Re: Re: Re: Re: Re:

    This is not a case of bureaucracy getting in the way of common sense.

    It is a case of correct procedures when dealing with criminal investigations getting in the way of how you think the world should operate.

    Chain of Custody aside, you do not rely on non authorised parties to 'help' unless they are willing under orders/oath to suffer any and all consequences for any untoward situations that may develop.

    The investigation not only has to be seen to be unbiased it needs to be unbiased otherwise the spectre of impropriety can and will be raised by any opposing counsel.

    I agree that a live system is preferable to one that is powered off, but there are means of reducing the loss of volatile data that you can perform before turning off any device, and I can assure you the FBI High Tech Units know all about those methods.

     

    reply to this | link to this | view in thread ]

  92.  
    identicon
    Anonymous Coward, May 5th, 2012 @ 11:14pm

    Re: Re: Re: Re: Re: Re: Re: Re: Re:

    Fair enough, you make some good points. Thanks for the insight.

     

    reply to this | link to this | view in thread ]

  93.  
    identicon
    Le Scientist, May 10th, 2012 @ 7:44am

    Re: Killer Scientists

    MUAHAHAHAHAHAHAHA!!

    Keep drumming! We're on to you and soon our armies of nano clones will modify your RNA so that you love us and accept us as your technocratic overlords!!!

    The time draws nigh!

    MUAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHAHAHAHA!!!

     

    reply to this | link to this | view in thread ]

  94.  
    identicon
    Anonymous Cowered, May 11th, 2012 @ 5:54am

    copied?

    pirated.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This