Slashdot Mirror
Too slow! FBI Shuts Down Hosting Service
Chope writes "If FBI agents showed up at your data center bearing a warrant, would you be able to provide them prompt access to customer data?
BZZZZT! I'm sorry, but you've taken too long to answer. We'll be confiscating all the hardware you use, er, used to use, to run your business. But we'll get it back to you 'real soon now.' Thank you for playing. CarrierHotels.com is carrying the story of a FBI raid on a web hosting company. When the hosting company didn't and/or couldn't provide the information the FBI was looking from its several terabytes of data within "several hours", the FBI decided it was more "efficient" to seize all the web servers and customer data as part of the FBI's investigation of a hacking incident."
I'm sure there is more to the story than what we are hearing...
I wonder what the FBI was looking for.
The poor hosting company probably has ToS to live up to. This will ruin them.
If nothing is found, will they have any recourse against the FBI or are they screwed?
And what if you run your website on those servers for commercial use? Will the FBI refund the finanial damage you suffered (e.g. when you run a webshop or smthing)?
IDNRADC (I do not run a data center), but don't let that stop me from making a completely unqualified comment ;) ....
Perhaps just as important, or more important, are you storing customer data that could/should be regularly deleted? Not that burning everything when the FBI shows up is the best option, but having a sensible scheme for what needs to be stored, and what would be better deleted and overwritten, seems to me to be important...
The only thing I find a bit odd about this whole thing is that it looks like they too the opportunity to relocate their data center to Chicago (it was previously in Cleveland). According to their news,
Wouldn't that unnecessarily delay the process of restoring service to their customers? Was the move already planned, or did they suddenly decide that they needed a different data center? Is it possible they're blowing the seize out of proportion in order to cover outages due to their move? Or did the seizure even actually happen?
...that 'the powers that be' are monitoring everything 'on the fly', if they need to get their hands on the physical data repository to check it out.
AT&ROFLMAO
no need to bring you there - and no aliens involved, either ;)
see the link in my sig if you care to see how the authorities made such things possible. ;)
(check each of the "14 Defining Characteristics" you recognize, count checks and post your results
I hope I didn't brain my damage.
I can't get access to the article, but I guess that the story is about the shutdown of FooNet. FooNet isn't a "real" hosting solution ; it's a cheap shell provider for script kiddies who want to have their own ircd. They might also provide "serious" hosting services ; but as soon as one provides shell services for such a targetted audience, she knows that she will have to handle some specific problems - DDOS, flood, etc.
And according to what I know about the FooNet shutdown (if that's the same story), there was thousands of DDOS "drones" located at the datacenter, and the staff of the datacenter failed to shut them down. That sounds very dubious to me, but you might want to check this for another side of the story ...
Quoting :
PS: if the shutdown mentionned isn't the FooNet one, ignore this post :-)
No, it turns out you are right, cit & foonet are one and the same. http://www.easynetworknyc.com/foonet/
I don't buy it! How can they move that stuff, not only physically, but also logically? To re-plug the servers, they need:
;-).
Or they can clone all the drives with ghost (now with ext3 support) and use Ghost Explorer in Windows to find specific files and folders without ever booting the machines into Linux and dealing with bullshit. (also dd/mount -o loop)
I prefer to read (between the lines) that they wanted something to be stopped, and eventually an occasion to get the information on the long term (weeks at least) on who/where it is
I believe one of two things:
1) They possibly thought whatever was going on might have been contributed to by someone on the inside and didn't want to give time for people to erase evidence. Maybe a raving lunatic anonymous coward but link.
2) They got impatient and thought they could do it faster, which probably ended up not being the case.
The strange part, for a European citizen like me, is that no reason at all is given. Normally (in democratic/free world), an investigation means a judge, some reasons, some rule brake, some arguments on why the police is acting.
A warrant means that a Judge signed off on the investigation. They were able to convince a Judge that they had probable cause, how is this different from Europe? (I'm not trolling, I just don't know much about the legal system in European Countries and realize that it probably differs from Euro Country to Euro Country)
I hope that with these new laws in Europe we are not going to become like that too soon
I agree, big brother is getting scary here in the states.
Can I get an eye poke?
Dog House Forum
Yeah, it's about time the FBI got involved in cleaning up the DDoS problem. Looks like there was at least plenty of circumstantial evidence that FooNet was harboring DDoS vandals and credit card scammers, so I don't have a problem with their suffering a few days of downtime while the situation is investigated. We're talking about people who destroy businesses and volunteer-run networks and rip off innocent bystanders to the tune of thousands of dollars each. I, for one, would like to see a few of them sent to prison.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Basically, it works like this: You rank the candidates in order and your first choice gets your first vote. All the votes are counted and the candidate with the least votes is eliminated. If the candidate eliminated is your first choice, then your vote goes to the second candidate on your list. This process continues until only one candidate is left, and they are then elected. (See the link above for a better explanation...)
If this sounds like something you'd like instituted, contact your senators and representatives!
Furthermore, support candidates such as Presidential Candidate Dennis Kucinich who have declared their support for IRV. As he says in his platform:
I seriously believe that implimenting a system such as this is the best way to get out of the Kang "Go ahead, throw your vote away." mentality about 3rd party candidates that America seems to have. Hell, even I feel that way in this next election.Peace.
I have heard that instant runoff is mathmatically broken and somewhat of a scam. Supposedly it will allow votes for (as an example) Greens, until the point where Greens become powerful enough to actually make a difference. At that point a vote for a Green will suddenly be bad, just like it is under the current system. The main reason is (assumming you like Dems more than Republicans) is that at that point your Green vote will make your Dem vote as #2 really mean #2 and Dems will lose to Republicans who voted them #1.
There is good analysis at http:://www.votingmethods.org. This site is obviously Libertarian, but their analysis seems accurate and their arguments about how to make Libertarians get votes without Republicans losing apply just as well to how to make Greens get votes without Democrats losing.
I see all alot of, "their rights have been violated", and "this is why I don't host in the US", and "here's what I think they're investigating", but I don't see anything constructive about how to protect your service uptime against a raid.
At a local security meeting, I learned about security incident handling, and things you can do to help preserve the chain of custody of the evidence (aka data). It's one thing to copy data, but just by reading data on most filesystems, you alter it. If a hacker determines that you are investigating them, that can and will try as fast as they can to cover their tracks, and it's alot quicker to delete/destroy/taint data than copy data.
The fastest and best to preserve a single machine's data is to break a RAID 1 array (pull out live disks). Your machines keep running, and the FBI gets a pristine copy of the disks that they can put into (hopefully antistatic) evidence bags and document chain of custody without modification of the data. They can go read it at their leisure off-site. Using RAID5 doesn't cut it. Using single disks with frequent backups doesn't cut it. Use RAID1.
Another way to protect data and preserve service is to store all non-OS data on enterprise storage that supports advanced mirroring or snapshot capabilities. If I had a NetApp, I could create a read-only snapshot and give the FBI access to that point in time copy of data and never delete it until I can do a DR copy of my filer onto another box. If I have an EMC or Hitachi or other large RAID1-capable unit, I can beak off a very large mirror and present it to FBI hosts on a SAN and continue to run off of unprotected data or implement a disaster recovery plan to get me running again on another similar storage. This data isn't as clean as a "drive in a bag", but with proper notes and techniques, the FBI can be convincing enough to a jury that the data was used in the investigation was correctly read unmodified "beyond a reasonable doubt".
If I'm really good, and have a bigger budget, I'll have a near-real-time mirror of that data (NetApp SnapMirror, EMC SRDF, "rsync", etc.) in a remote location that runs independently of my primary site and a plan that will help keep me running while I let the FBI tears apart my primary data center.
If you run a 100% uptime service ("Show me the nines!"), it's your responsiblity to to have an effective disaster recover plan. An FBI or Secret Service raid is an equivalent of a jumbo jet crashing into your data center. You as an individual, have a RIGHT to privacy and due process, but your company has created obligations to your customers to which you've guaranteed service, and your customers care more about the latter than the former. It's more responsible to have a DR plan and sue the FBI to replace your hardware than not have a plan and sue for lost business.
-ez
If the checksum doesn't fit, you can't commit!
Believe me, the last thing some poor special agent wants to do is sift through TBs of customer crap and put a company out of business or under financial hardship.
It's far more serious than simply putting a financial hardship on the data center and their customers. It is entirely possible that the FBI has gone beyond the authority granted to them in the warrant. Their warrant only allows them to search and sieze specific items related to a crime.
It is highly likely that by siezing all machines and data of a commercial data center, that they have deprived several customer of their due process of law (5th) and freedom from search and siezure (4th).
The company in question, known as "Foonet" or "Creative Internet Technologies" is well known to anyone who frequents efnet as a safe haven for anyone involved in illegal activities, including DDoS, childporn, compromising hosts, spamming, carding etc, the staff of foonet are well known for overlooking illegal activity by their customers..
Most likely the fbi turned up to confiscate one or two customers boxes and saw how stuffed with illegal data their network is, virtually everyone on efnet who is involved with illegal activity used to base their operation from foonet, the servers there will be a total goldmine of evidence for the fbi..
Infact, the staff themselves at foonet are well known for breaking the law, in particular "Paul" who owns the company gives shell accounts or free hosting to people who will ddos for him, and often the staff at foonet have used their customers credit cards for fraudulent transactions.
While everyone seems to be focusing on the FBI and it's antics, hackers behind the scenes are running around making fools of intelligent men.
This weekend, we saw foonet disappear without a trace, mirc-x, aniverse, and rizen brought down in flames by DDoS attacks, and (ranked least important on this list) the anime fansubbing scene, as well as Paul (the one actually served with the warrant says #foonet on efnet) in complete disarray and confusion.
Maybe in a few weeks, some legitimate news corporation will repost what I'm about to suggest with more information.
foonet's ircd was probably a host for some sort of illegality, hence the FBI's raid.
The warrant may have been formed with the help of an IRCop on mirc-x.
While sustaining DDoS attacks, a user visited mirc-x appearing to "be the culprit," and left a few locations he could be found.
Reading between lines, the lingo announced the reason for the attack: That damn IRCop reported my irc server with a lot of hacked computers taken away. So I'm bringing down his network.
What was the reason the IRCop reported anything? Did he crack a joke about the hacker's mother? Or was he just doing the "right thing?"
Sadly enough, by the end of the weekend, the anime scene had pretty much caused the death of 3 servers either due to load, or to followed DDoS attacks on other servers.
I have to wonder if there's actually a connection between the two events. 3 IRC networks down and an entire hosting company at a local FBI headquarters because of hacker squabbles? Are they really that important and/or worth the time?
I wish I knew. I wish someone could actually write about it. My story can't possibly be true.
-Kenners EE,CE,JP&RPI.EDU
Low-end hosting often doesn't work that way; I know because I've been on the receiving end of no backups recently. Someone buys a dedicated server with a particular configuration from the data center, and sells reseller or shared hosting to a lot of other people. The data is very often only on the disk(s) on that system; backups are often not done depending upon how much the purchaser of the dedicated server wanted to pay.
Other people who provide hosting services do take advantage of the backup capability offered by the data center, but it is seldom more often than once per week. If the feds wanted fresh logfiles, the only way to get them would be to go to the machines themselves; if they want older ones, the data center would need to have a mechanism to quickly go the the correct backup file(s) and extract just the pertinent ones. That is not a process that most places have down to a science.
What I'm surprised at is that they thought it would be more efficient to do this themselves. You'd think they'd send in their forensic folks and work with the admins to get what they needed. A few hours is not enough time, but a couple of days you'd think might.
- Leo
You don't use science to show that you're right, you use science to become right.
Right on target. In my experience the FBI couldn't give a rats ass about causing the least amount of colateral damage or returning your siezed property. In 2001 (I believe that's right) the FBI siezed a Sun 20 from a lab at a University I worked for. The lab was less than maintained. It was full of SGIs that were vulnerable to every possible exploit for the last 5 or 6 years. It was a joke really. The Sun was also unmaintained. I pointed out to my super 10 months before the siezure that the Sun was an open relay and had services running that shouldn't be (I still have that email!). Nevertheless it wasn't touched for 10 months. Right about the time I volunteered to help the lab maintainer get everything up to date and secure again the FBI came in and siezed the Sun. It apparently was used for something bad. I haven't been with that University for a while now but last I knew it still hadn't been returned. The FBI couldn't give a rat's ass about causing the least amount of colateral damage. Their actions speak for themselves. What if the machine used for the attack (or probe for that matter) was the Unv's mail server? It was poorly maintained too and had been hacked before. What if an attacker used it as a launching pad for an attack. Would the FBI sieze that piece of state property, effecting bringing email on campus to a complete halt? It's sad really to think about it.