FBI Seizes Server Providing Anonymous Remailer Service

sunbird writes "At 16:00 ET on April 18, federal agents seized a server located in a New York colocation facility shared by May First / People Link and Riseup.net. The server was operated by the European Counter Network ("ECN"), the oldest independent internet service provider in Europe. The server was seized as a part of the investigation into bomb threats sent via the Mixmaster anonymous remailer received by the University of Pittsburgh that were previously discussed on Slashdot. As a result of the seizure, hundreds of unrelated people and organizations have been disrupted."

What does this help?

Unless the server was keeping logs, and I presume that it wasn't, how could seizing it possibly help the investigation?

Re:What does this help?

[Reasonable+Facsimile]

Unless the server was keeping logs, and I presume that it wasn't, how could seizing it possibly help the investigation?

The files are in the computer.

Re:What does this help?

[Wowsers]

It's a clear signal to people that if you run a business and your server is in the US, the US can kill your business stone dead in a raid which may have nothing to do with you other than being co-hosted at a server farm. And people wonder why less business is going to the US.

Re:What does this help?

If your entire business depends on a single server you have more pressing problems to deal with. Gremlins are more likely to ruin you than jack-booted thugs. In fact, a Gremlin will on average take down your server once every two years. The odds of the FBI doing that are probably once in a thousand years, all things considered.

Re:What does this help?

[cyachallenge]

If you remember in some of the pirate bay litigation they actually seized the computer RAM. :) The RAM contained case relevant material (at least when it had voltage going through it. Law and technical computer topics rarely mix well.

Re:What does this help?

I'm sure the FBI would be happy to take all of them.

Re:What does this help?

[Guppy06]

and I presume that it wasn't

Don't presume, verify.

Re:What does this help?

[Reasonable+Facsimile]

If you remember in some of the pirate bay litigation they actually seized the computer RAM. :) The RAM contained case relevant material (at least when it had voltage going through it. Law and technical computer topics rarely mix well.

Holy crap.

Re:What does this help?

Citation please (not tryging to be a troll, I'm genuinely interested).

Either they made a copy of the content of the ram (smart), they tryed a cold boot attack (in which case this is the first time I hear of law enforcement doing this) or they are technically illiterate.

Re:What does this help?

[NoSleepDemon]

Well that's a nice round number, it's when it hits 256 that you really should start to get worried =)

Re:What does this help?

There are lots of small businesses like mine that don't have the resources to maintain multiple servers. We only recently got to a point where spending a few hundred dollars on multiple servers might be considered worth while given the costs. Right now we spend $60 or so a month as it is on hosting (VPS) and lots more on phone, Internet, and other services. Small businesses that haven't gotten off the ground can't afford these luxuries. That is not to say there aren't solutions to this problem. But saying all businesses should simply setup multiple servers without regard for circumstances is wrong. My solution was to literally setup our server to compress, split, and email backups of our entire database and web site on a nightly bases to a free GMail account (yes- it is encrypted with GPG first). I started this company with little more than $10 and a roof over my head (parents basement, ok, not really the basement, but still, one room in a residential area). We broke even just this past summer although are doing phenomenal now and future sales are anticipated in the millions of dollars. I'm expecting to see the million dollar mark in the coming months. We have agreements in place that should see our profits rise 100x fold.

And for anybody who thinks that free software (think freedom, not open source) isn't profitable you are a moron. It can be done and chances are you just don't have any business sense. I'm 27 and founded this company almost straight out of college (I took several months off). I'll admit we are succeeding by leaps and bounds where everybody else has failed.

Re:What does this help?

[KiloByte]

or they are technically illiterate.

From a technical point of view, their action is completely pointless. But from the social point of view, it works. They're sending a loud and clear message: if you try to stand up to your rights, you WILL be trampled.

Re:What does this help?

[evil_aaronm]

Or some PHB thought it would be a good idea and, at the very least, he could say he tried it. "Leave no stone unturned," you know.

Re:What does this help?

[TheCarp]

You know, we took an outage in our dev lab yesterday when a PDU blew, and took out some fiber that was running next to it. Shit happens...maybe not often, but it does. Any individual server can go, for any number of reasons, some of which are totally outside the server.

If we are talking about unimportant services, sure... leave it up to a single server. If your business depends on it though? Well then I guess if your business isn't worth keeping up in an outage...then enjoy but... I would consider that important enough to have a couple, in different places.... hopefully in an active/active config but, even a warm spare means being back up reasonably fast.

Its not about how likely it is...given enough time unlikely events happen. Its a question of how fast you can recover WHEN it happens.

Re:What does this help?

[Nefarious+Wheel]

As a long-time follower of Groklaw.net, I've read of this happening before. Lawyers trying to seize the wind by asking for a machine's RAM. Not the contents, the RAM itself. Little green sticks. Lovely, no?

Re:What does this help?

[fustakrakich]

Say what? The Gremlins lost the war over 65 years ago..

Re:What does this help?

[mcavic]

I read that too, but don't have a link. I guess the easiest thing to do would be to dump the RAM from inside the running OS, but you'd need admin access. You might also try warm-booting into a specialized OS, but I don't know if that would preserve the RAM or not.

Re:What does this help?

[Jeremiah+Cornelius]

The legal and forensic arguments from which this action stem are a part of American policy which can, in fact apply to any jurisdiction. Taken pretty strictly as it is defined, the policy can be expressed: "Look, We're the FBI. That means your fucked, no matter what you do."

Re:What does this help?

[0123456]

You know, we took an outage in our dev lab yesterday when a PDU blew, and took out some fiber that was running next to it. Shit happens...maybe not often, but it does.

Dual PSUs fed from two independent PDUs fed by two independent power sources. We would just shrug and replace the PDU if that happened.

Its a question of how fast you can recover WHEN it happens.

Much faster from a blown PDU than from having your server confiscated by the Feds because some other user may have broken the law.

Re:What does this help?

[0123456]

Yeah, I'm sure some hardware register was stuck with all bits set; power cycling fixed it.

Re:What does this help?

[JazzLad]

Extrapolating

Re:What does this help?

[MrQuacker]

Maybe instead of solving the crime, it simply stops more threats from being mailed out. Until a new anon-service is found. And in the meantime the person might mess up and reveal themselves.

Re:What does this help?

[philip.paradis]

Especially if the RAM is cooled sufficiently, cold boot attacks can be effective for information retrieval from "volatile" memory.

Re:What does this help?

You can do live forensics using a special device. I believe firewire ports allow for it via direct DMA. There is not contamination with this method as the contents in ram are not modified nor is anything loaded into ram (such as would happen from running a program from a flash drive/cd). Sadly courts / government are now saying it is legal to do things like install keyloggers and then use the evidence. Despite the fact these keyloggers have been in cases ruled illegal it was based on the wrong reasons and another keyloger trojan could be written to fix the problem. Basically the problem the court found was that the software could load modules which did something other than permitted by the courts. I believe there was actually evidence that the kelogger software isn't being used as permitted too which is a problem. Long story short while live forensics may have some merit I think as a general rule it shouldn't be allowed even if using firewire / DMA methods which don't contaminate. The reason being the software is extremely complicated and expert witnesses don't understand the issues sufficiently as to why random contents / strings in memory are not reliable. Essentially the prosecutors are using 'experts' to testify that words like 'how to kill' were found and thus there is evidence of premeditation when in reality the contents found in cache was only part of a string and/or corrupted. There may or may not be evidence of said corruption and nobody (including the author himself) is likely to know for sure what the case is. Particularly depending on the circumstances. Memory is a shared resource and the contents can be something other than expected. For instance if you write a program to do some arithmetic or create a file of a certain size using particular functions you may end up reading in unexpected data if things are not initialised properly. This may not be true on GNU/Linux although I did see this in Microsoft Windows. I found it quite disturbing.

Re:What does this help?

[hairyfeet]

Or even more likely they are like the vast majority of computer users out there and don't know the difference between RAM, CPU and HDD. I don't know how many times i've dealt with extremely smart people, people that hold very complex jobs, that simply don't understand the difference between memory and hard drive or CPU and GPU.

Sadly to many the PC is a "black box" that they know enough about to operate but don't even know the tiniest bit when it comes to what its made of or what it actually does. I've actually talked to cops that thought you should be able to "hack" a machine by simply being told the physical address of the person or that you should be able to push some button and magically have every password that has ever been used by a person simply by having their system. Too much CSI I guess but at least they didn't tell me to trace down an IP address using VB.

Re:What does this help?

[mug+funky]

FTS:

"May First / People Link and Riseup.net"
"As a result of the seizure, hundreds of unrelated people and organizations have been disrupted."

harassment... intentional collateral damage... who knows?

it still amuses me that they up and take the server and walk out with it. why not put that police tape around the server room, and let the FBI techie do his/her thing in a new place?

of course, yanking the connections will have the same effect, but it would be much easier for the techie to just say "hey, this thing doesn't keep logs" and let the collateral damage get on with their business.

Re:What does this help?

[mug+funky]

then it would suddenly read 0 degrees?

Re:What does this help?

[Anthony+Mouse]

They're sending a loud and clear message: if you try to stand up to your rights, you WILL be trampled.

I tend to take it as an invitation to claim to be Spartacus. Because, you know, if they think they can get away with this then there need to be more people doing the thing they're trying to prevent.

Re:What does this help?

[the+eric+conspiracy]

Lots of things can take down a server. Memory going bad, drive controller karking up, cap on a motherboard going bad, cpu fan dying etc.

Seems to me that it has to be a pretty half-ass ISP that can't bring a replacement mail server up an hour or so after losing one.

Re:What does this help?

[Zemran]

My hosting is up for renewal next month and I am already looking to move out of the US for security even though I do not think that I am doing anything of interest to them, I do not know what else is being done at my provider. It is not just bad guys that get taken down, everyone using that service suffered. I do not want to suffer when the jackboots arrive. I want somewhere safe and stable like Switzerland. I am sure that someone will post a reply quoting a bad incident in Switzerland but we could fill several pages with bad incidents in the US.

Re:What does this help?

[AHuxley]

Its chilling to other firms, .coms. IT people, admins, owners, isp's. lawyers, accountants- everybody screams out -
Log everything, makes sure its easy to get the data, keep everything, if we cooperate we might get our hardware back sooner, did we do due diligence on users?
The ex NSA, GCHQ, DIA, CIA, cyber command - could do this in a nice way as contractors.
Feel that push for CISPA to get real telco immunity? The company is protected from users and the feds get CALEA++++ like access.
Until then its "Alright sir, I just need to check inside your sever."
Yes, you're a smart admin, aren't you sir?

Re:What does this help?

[CBravo]

You also have double fibers?

Re:What does this help?

[Yvanhoe]

It is not likely at all. We are in 2012 and during several years, various companies have shamelessly sold the "cyber-war" concept. There has been billions (really) of dollars made in training and countermeasure tools for federal organizations.

You are not in the 90s anymore where a scriptkiddy could brute-force FBI passwords without being noticed. You now should assume competence in the people charged with these affairs.

Re:What does this help?

[FlyveHest]

So, to do business online you absolutely must have at least 2 colocated servers?

I sure hope that its possible for a startup to run their first version(s) on a single server, hosted at one provider.

Re:What does this help?

[hairyfeet]

And you are assuming the same government that spent $600 on a toilet seat didn't piss a large amount of that money away on kickbacks and buying worthless training videos created by insiders who got no bid contracts. By your logic that would mean those retarded TSA goons would have the same level and skill as a secret service agent, because after all we have supposedly spent millions and millions on their training right? yet we have people walking through that forgot to take a fricking handgun out of their bag and not get caught while they yank diapers off little old ladies.

If ever "Never ascribe to malice that which is adequately explained by incompetence" fit it would have to be the US government friend. All too many of them only care about is getting elected or looking like they are "doing something" that will get them a bigger budget. And look up the whole "taking the RAM" incident, we aren't talking some rare thing that would actually stop anybody but instead they believed according to their brief that "the RAM contained evidence" which I wouldn't be surprised if they got from some CSI where they magicked the contents of the memory and found the killer...using technobabble "science" of course.

Re:What does this help?

[CuriousGeorge113]

Intimidation.

Anyone running even a small data center knows that the US government can just walk in the front door and seize whatever they want. Yes, there is the formality of a warrant, but most judges will sign off on anything related to terrorism. (No judge wants to be 'that guy' who didn't help the police catch the Pitt bomber before he kills a bunch of people, etc etc.)

This gives them the ability to intimidate other ISP's & data centers. "Oh, you don't want to cooperate? OK, we'll be back with a warrant. How much are each of those servers to replace? What about that nice SAN over there? Those 10GB switches? Yes, you'll get everything back when we're done. Might be a few years though...."

Yes, it's a game. Yes, its nefarious. But, it works.
Is it ethical? Probably not. Is calling in 100 bomb threats ethical? No.

Do two lefts make a right? No, but three do.

Re:What does this help?

[CuriousGeorge113]

Megaupload had two primary centers, one in Virginia and the other in the Netherlands. I've heard they had a few other smaller colo's as well.

Megaupload, as a corporation, wasn't even based in the US. The US government successfully shut them down.

Re:What does this help?

[lipanitech]

They probobly want to get it off the air to analize but I agree I doubt anything on there will be of any use.

Re:What does this help?

[helix2301]

I agree these guys are not amateurs they are not going to leave info that could burn them on a server accessible to the FBI. But some amateur hackers have been doing things in Anonymous's name. Maybe that's who the FBI is after.

Re:What does this help?

[swalve]

No, the hard drive is storage. It's pretty basic computing 101. If you need an analogy, consider an office desk. The surface of the desk is a computer's memory, the drawers are the storage.

Re:What does this help?

[CastrTroy]

Actually, the hard drive is most frequently referred to as "storage" so that it isn't confused with "memory". When talking about computers, memory always means RAM. I've never heard a competent person in the IT field refer to a hard drive as memory.

Re:What does this help?

[Steauengeglase]

They were raided by Fish and Wildlife, not the FBI. From there the details get very murky (everyone has their own spin).

Beyond losing some wood, it only made Gibson more money as folks ran out to buy their products at (IMHO) already inflated prices.

Re:What does this help?

[DrProton]

how could seizing it possibly help the investigation?

Perhaps they want to run the machine and observe its operation.

Re:What does this help?

[lokiTM]

Unless the FBI was able to catch the messages on the fly, it is incredibly unlikely that anything would be left on the disk or in RAM. Even if there was something, it would just point back to a previous Mixmaster node. Because Mixmaster is high latency / store and forward, it has much better security characteristics than a real time / low latency system like TOR. I spent a lot of time on the design to protect against this kind of thing.

Re:What does this help?

[TheCarp]

yes but, they were after megaupload. Of course you would make a coordinated takedown of a multi-homed system. Of course.... warm spares may be invisible until its time to turn them on... but thats besides the point.

Remember, we are talking about a customer who was on the same box. So... in theory, sharing a box/rack/whatever with someone who may be their target...it is unlikely that secondary boxes would be shared with the same other customer.... especially if at another DC.

Re:What does this help?

[KingMotley]

No. Hard drives are secondary memory. But you are correct, this is basic computing 101; You need to go back to class.

Re:What does this help?

[KingMotley]

You should/would/will be taught this in your first year in college, but here's a reference (Yes, I know, wikipedia and all that, but I'm too lazy to look up references from my computer books from 20 years ago): http://en.wikipedia.org/wiki/Computer_memory

And if you are too lazy to go look it up, here's the first two paragraphs:

In computing, memory refers to the physical devices used to store programs (sequences of instructions) or data (e.g. program state information) on a temporary or permanent basis for use in a computer or other digital electronic device. The term primary memory is used for the information in physical systems which are fast (i.e. RAM), as a distinction from secondary memory, which are physical devices for program and data storage which are slow to access but offer higher memory capacity. Primary memory stored on secondary memory is called "virtual memory".

The term "storage" is often (but not always) used in separate computers of traditional secondary memory such as tape, magnetic disks and optical discs (CD-ROM and DVD-ROM). The term "memory" is often (but not always) associated with addressable semiconductor memory, i.e. integrated circuits consisting of silicon-based transistors, used for example as primary memory but also other purposes in computers and other digital electronic devices.

Re:What does this help?

[Caratted]

something something semantics something blahblahblah.

How about you assume he does know what he's talking about, since rarely does anybody say "probably needs a new secondary memory controller and platter due to [insert hdd problem]." Not to mention I can now quote you as saying "hard drive memories."

Or you can just go about being an a-hole, I don't particularly care. I'm just informing you that nobody else does, either.

Re:What does this help?

[KingMotley]

Feel free to quote me as saying "RAM and hard drive memories" if you wish, as I mentioned two types of memory.

Let's assume I know what I am talking about, but since you don't, here:
http://en.wikipedia.org/wiki/Computer_memory [wikipedia.org]

And if you are too lazy to go look it up, here's the first two paragraphs:

In computing, memory refers to the physical devices used to store programs (sequences of instructions) or data (e.g. program state information) on a temporary or permanent basis for use in a computer or other digital electronic device. The term primary memory is used for the information in physical systems which are fast (i.e. RAM), as a distinction from secondary memory, which are physical devices for program and data storage which are slow to access but offer higher memory capacity. Primary memory stored on secondary memory is called "virtual memory".

The term "storage" is often (but not always) used in separate computers of traditional secondary memory such as tape, magnetic disks and optical discs (CD-ROM and DVD-ROM). The term "memory" is often (but not always) associated with addressable semiconductor memory, i.e. integrated circuits consisting of silicon-based transistors, used for example as primary memory but also other purposes in computers and other digital electronic devices.

You can complain all you want, but when someone goes on a rant about how someone doesn't know the difference between memory and hard drives, when he himself obviously doesn't is quite silly. Even sillier for you calling me out on pointing it out to him.

Feel free to PM me if you wish, I can get you more references that point very specifically that hard drives are a type of memory in well published books if you want to continue being ignorant.

Re:What does this help?

[Lord+Chaos+EOG]

Our business is small and most of it dependent on a single server. Outages are rare and easy to fix with minimum downtime...Having the FBI confiscate the server would be a bigger and more dangerous threat.

Re:What does this help?

[gweihir]

Indeed. Unfortunately, it seems possible that the FBI did catch all messages in-flight for a time. In that case they are possibly hoping to get first-hop messages that they can somehow correlate (time, size, number sent) with the final messages. Note that even if they end up with a number of possibles, they are probably not above searching a few hundred people. Remember, the users of Mixmaster are "anonymity-terrorists" anyways. If the attacker was careful and used different chains for the messages, that will not help tough.

But criminals do make mistakes and the authorities like to intimidate everybody that defies their authority, like Mixmaster users. I consider it possible that the node was on some list for some time and the authorities were just waiting for a reason to harass it.

So, if the FBI finds the attacker with this, then we do know the following:
1) The attacker was not careful
2) The FBI has has access to all/most traffic of at least this Mixmaster node and possibly additional ones

I do consider it far more likely though that this is just a fishing expedition (prompted by technological incompetence), or a pure pre-planned exercise in harassment.

Re:What does this help?

[Maxmin]

how could seizing it possibly help the investigation?

I can't believe you really think that law enforcement investigations are only about gathering evidence and impartially serving justice?

Clearly, the point of the seizure was to interfere with the remailer, shut them down (albeit temporarily, likely), and maybe discover some forensic evidence that might be used to ensnare others.

Pre- and ex-judicial property seizures are always about fucking with the innocent-until-proven-guilty.

Re:What does this help?

[philip.paradis]

Netcraft confirms it: you're a pedantic asshole, and your subsequent attempts to defend your pedantry only serve to make you look more pathetic. Listen, I've been doing this computing/programming/networking thing since about 1989. My history includes stuff like Timex Sinclair boxes with tape decks (Hey, look! It's technically memory, but commonly referred to as persistent storage), 8086 boxes such as the venerable AT&T PC-6300 with a badass 360K floppy drive (holy crap, memory once again, but most commonly referred to as removable diskette storage) and a whopping 10 MB hard drive (chrissake, look at that shit, it's memory again but most commonly referred to as a goldanged hard drive), various CP/M boxes, a couple of SCO boxes, some early SGI hardware, a slew of 386/486/586 (I still hate Cyrix) boxes, RS/6000 boxes running AIX at first and Debian once I "fixed" them (fun with null modem cables), what you might call "modern" servers spanning multiple datacenters and numbering in the thousands, etc.

Over the years, when somebody who knows what the hell he's talking about says something like "gosh, I need more memory," nobody with half a clue assumed he was referring to hard drive space. Conversely, when somebody said something like "golly gee whiz, I sure am seeing high utilization on my filesystems," it was safe to assume he wasn't talking about fucking ramdisks. Attempting to cloud the issue in a pathetic attempt (via another reply of yours) to reference swap space (virtual memory, whatever makes you feel good) as memory in a vain attempt to prop up your prior pedantry honestly only serves one purpose: it further reinforces your status as pedantic asshole.

In short, you can quote all the technical references you want. Hell, it's not unlikely that I've personally written or substantially contributed to a lot of documentation that you've read. What really matters here is the simple fact that you're being called out for what you are. Stop screwing with people and go do something useful, Junior.

Did they at least manage to figure out what server

[Qzukk]

Or did they just kick over all the racks and rip everything out like they seem to do on a regular basis?

Correction

[busyqth]

FBI seizes terrorist server run by commies.
Grateful American people throw candy and flowers at heroic agents.

Re:Correction

[fustakrakich]

Finding the terrorists is all about destroying every last one of them.

That would make the planet a very lonely place.

Re:Correction

[cavreader]

The Soviets were good reliable opponents. Both they and the US had limitations on their aggressiveness towards each country other because they both had 1000's of nukes aimed at one another. Blowing up airplanes and office buildings would have led to WW3 which would have lasted about an hour from start to finish. Today's terrorist organizations are unpredictable and under no such constraints and take the chance to kill as many people as possible with each attack.

Re:Correction

[ColdWetDog]

So we should give the terrorists lots of nukes and a command and control system?

Sounds perfectly reasonable.

Re:Correction

[cavreader]

All the major nuclear states have proven they are responsible in the handling of nuclear weapons. They also have high levels of security to prevent these weapons from being compromised and provided to 3rd parties. The current Iranian issue is not really about them actually using a nuke if they had one. This is about them being able to provide the weapons to one of the 3rd party organizations they support. That's their standard method of projecting military power while being able to maintain plausible deniability. If a terrorist was able to get a nuke and use it Iran is counting on not being definitively identified as the supplier thus avoiding any immediate retaliatory strike. However, the source of the weapon would eventually be identified but it might take a few months in which time the initial outrage would have dissipated. Would the world approve of a retaliatory attack 6 months after the weapon has been used?

Re:Correction

[WeeBit]

FBI seizes terrorist server run by commies.

Grateful American people throw candy and flowers at heroic agents.</quote>

And some Americans even kissed their ass! /s

What did you expect?

[OverlordQ]

When their reply was basically "If we dont let them send bomb threats, we're undermining free speech and the Internet"

Re:What did you expect?

[v1]

If we dont let them send bomb threats, we're undermining free speech and the Internet"

To which I reply "They need to find a different way to discourage or stop them from sending bomb threats. Inflicting me with collateral damage in the quest for better law enforcement is unacceptable, and so is removing my ability to speak with anonymity."

Given the choice, I think I'd rather deal with the occasional bomb threat than not be able to speak anonymously.

Re:What did you expect?

[houghi]

Given the choice, I think I'd rather deal with the occasional bomb threat than not be able to speak anonymously.

Give me liberty or give me death.
There: Translated that for you.
Also: I rather die on my feet then live on my knees.

Re:What did you expect?

[Em+Adespoton]

If we dont let them send bomb threats, we're undermining free speech and the Internet"

To which I reply "They need to find a different way to discourage or stop them from sending bomb threats. Inflicting me with collateral damage in the quest for better law enforcement is unacceptable, and so is removing my ability to speak with anonymity."

Given the choice, I think I'd rather deal with the occasional bomb threat than not be able to speak anonymously.

Or, to totally mangle a famous quote:

"First they came for the anonymous, but I was not anonymous, so I did nothing." That's probably true to life for most people actually....

Re:What did you expect?

[v1]

Also: I rather die on my feet then live on my knees.

[grammarnazi] I don't think you can do those two things in that order....[/grammarnazi]

Re:What did you expect?

[Guppy06]

Your inconvenience in having to find yourself another anonymous remailer is outweighed by someone else's jeopardy to life and limb.

Re:What did you expect?

[DdJ]

FYI, we're not dealing with "the occasional bomb threat" here.

The University of Pittsburgh (which is down the street from where I work) has gotten multiple bomb threats per day every day for weeks now.

Many students have been driven out of their dorms, to live off campus, because the evacuations were too disruptive. The campus police are no doubt way over budget. Classes are disrupted to the point where folks on academic probation were told this semester "doesn't count".

At this moment, as I type this, two buildings have evacuation notices. Earlier today, eleven buildings had to be evacuated.

And today was not exceptional.

If you want to follow this yourselves, evacuation notices go out over the @PittTweet twitter account.

Now, I'm not trying to say "knocking every anonymous remailer off the internet is justified". Please don't assume I think that. I'm just pointing out that this very much isn't a case of "the occasional bomb threat". It's basically a full-on ongoing multi-day denial-of-service attack on the Pitt police, Pittsburgh police, and a bunch of the university, happening in meatspace.

Re:What did you expect?

[nurb432]

Only a terrorist or child molester needs anonymity. What are you hiding?

Re:What did you expect?

[jpapon]

You don't know, he could be a vampire or some other mythical creature which dies every day... then the statement would be grammatically correct. As long as dying isn't a hypothetical, it makes sense.

Re:What did you expect?

[Bucky24]

I absolutely agree with you on that. But that's not the reason I don't approve of this action. It's a form of government oversight that I don't particularly want to have.

Re:What did you expect?

[NeverSuchBefore]

The inconvenience you suffer by not being able to ride on planes without getting molested by the TSA is outweighed by someone else's jeopardy to life and limb.

Re:What did you expect?

[Sipper]

"Stand back... I'm going to try LOGIC..."

FYI, we're not dealing with "the occasional bomb threat" here.

The University of Pittsburgh (which is down the street from where I work) has gotten multiple bomb threats per day every day for weeks now.

Many students have been driven out of their dorms, to live off campus, because the evacuations were too disruptive.

...

I agree that this situation stinks, and that obviously constantly evacuating buildings is very disruptive. However at the same time, can't the University of Pittsburgh and the Pittsburg police stop doing that and ignore the bomb threats, knowing that their leg is being pulled? I realize that there may be some legal precident why they can't... but at some point logic and common sense, along with the knowlege of "The boy who cried wolf" should also come into play. :-/

Re:What did you expect?

[misexistentialist]

More like a crazy immune response than a denial of service attack. I mean what happens when someone mails them a letter saying that are going to bomb "one or more university buildings within the next 20 years" ? If they are able to ignore indeterminate threats like that they can ignore unsubstantiated clusters of threats.

Re:What did you expect?

[Guppy06]

You're comparing potential threats to actual (and continuing) threats.

Re:What did you expect?

[j00r0m4nc3r]

I don't understand why they need to disrupt a whole array of services that people are paying for in order to catch one guy emailing bomb threats. Are the computer security and forensics guys in the FBI such morons that they can't do any detective work without pulling out their big black boots and seizing the server(s)? Seriously, any 12-year-old Chinese hacker would probably do a better job.

Re:What did you expect?

[Guppy06]

The servers weren't seized because they "might" be misused, but because they were being misused.

Re:What did you expect?

[Obfuscant]

However at the same time, can't the University of Pittsburgh and the Pittsburg police stop doing that and ignore the bomb threats, knowing that their leg is being pulled?

No. The next time it might not be a joke.

Universities are being sued for not doing enough to stop violence on campus when it happens, as rare as it is, and as much as they do. It's never enough for the lawyers and "grieving heirs".

It's a large "corporation" to start with, and state schools have the combined pockets of the taxpayer to pick. You can't sue a school for being too careful, only if something happens and you can convince a judge that they might not have done enough. Why make it a slam-dunk victory for millions by ignoring the last, valid threat?

This is the same reason that cops have to go check out 911 hangup calls. Most likely, it was someone who dialed by accident and then said "oh shit" and hung up. If they try to dodge the problem by turning their cell phone off, or not answering, the cops will show up to see if everything is ok. If the cops just ignored the call, they'd be sued by everyone involved when it turns out that the caller was forced to hang up, or the wire was ripped out of the wall, by her violent husband or vice versa, and someone wound up dead.

Re:What did you expect?

[roystgnr]

The additional facts and context are much appreciated. However:

Now, I'm not trying to say "knocking every anonymous remailer off the internet is justified". Please don't assume I think that.

Do you instead think that "allowing unlimited anonymous communication is justified", even if it means that false bomb threats become as common as litter? Although I'm sure we'd all agree that ethically there's a middle ground between these two points, that may be a moot point if technically no such middle ground exists. And I don't see a technical middle ground, do you? Either truly anonymous speech is possible or it isn't. The mixmaster software can't distinguish between good and evil messages passing through.

Re:What did you expect?

[maccodemonkey]

If it's anonymous, they don't even know if the next bomb threat is coming from the same person. Might mess with how serious you take a bomb threat compared to the previous ones. You don't want the one coming from a copycat who's actually planting a bomb to be the one you ignore.

Re:What did you expect?

[the+eric+conspiracy]

You cannot do a detailed forensic analysis of a computer without taking it out of service. So you might as well seize it.

And WTF kind of ISP doesn't have backup hardware? There should be NO disruption of services when a server is taken out of production.

Re:What did you expect?

[NeverSuchBefore]

No, these are potential threats as well. There is no guarantee a bombing will happen.

But, to begin with, the logic is the same: hurting everyone to stop X is okay because people could get hurt by X.

Re:What did you expect?

[qubezz]

Except if this wolf comes, it has no relationship to a boy crying at all.

I would find it highly likely that research will show the vast majority of bombings come with no threat, and the vast majority of threats come with no bombing. You can completely disarm the threat as an act of terrorism by simply ignoring it or at least by giving the impression the threat was completely ignored. You must digitally sign your threatening email and not hide behind a remailer before we will take it seriously.

The most infuriating thing about this story is that by doing absolutely nothing illegal, you can have your property stolen by armed FBI thugs.

Re:What did you expect?

[Guppy06]

You're comparing "someone, somewhere, something bad might happen involving an airplane" to "a bomb will explode in ABC building on XYZ date."

You're also comparing "everyone" to "the users of this particular service provider."

Re:What did you expect?

[Guppy06]

Last I checked, a threat of violence is not actual violence

Then you need to re-read the legal definition of assault.

Re:What did you expect?

[rtb61]

Let's just say you wanted to knock every anonymous internet remailer off the internet, how would you go about it?

If you wanted to scan through them and possibly leave some corrupted hardware in those servers to monitor them, how would you go about it?

If you wanted to launch a big fishing expedition on those servers, how would you go about it?

All a little to convenient, simpler to host your servers in another country than put up with junk like this.

Re:What did you expect?

[NeverSuchBefore]

You're comparing "someone, somewhere, something bad might happen involving an airplane" to "a bomb will explode in ABC building on XYZ date."

It's just a threat. "A bomb might explode." "A terrorist might attack."

Sorry, but I don't believe in collective punishment at all. Word games or not, the logic is almost exactly the same.

You're also comparing "everyone" to "the users of this particular service provider."

All of the users of this particular service. You knew what I meant. It makes no difference, as everyone is being punished.

Re:What did you expect?

[NeverSuchBefore]

legal definition

The law is not always right. What he said was correct. A threat is not the exact same thing as actual violence. Punching someone in the face is very clearly different than threatening to do so. In only one of those scenarios someone actually got punched in the face.

Re:What did you expect?

[NeverSuchBefore]

continual random searches of people and places

That sounds about as awful of a solution as the TSA. If the solution violates people's privacy, I don't want it. I'd rather them evacuate the building for the 50th time.

Re:What did you expect?

[Guppy06]

A threat is not the exact same thing as actual violence.

By your definition, pointing a gun at someone's face (a/k/a "assault with a deadly weapon") isn't violence unless and until you pull the trigger?

Your libertarian fantasy would have every mob enforcer walk free.

In only one of those scenarios someone actually got punched in the face.

Congratulations, you've just found the difference between assault and battery. But in both scenarios (provided the victim saw it coming), the victim was...

No, if I'm going to copypasta anything, it will be what I just wrote:

Then you need to re-read the legal definition of assault.

Re:What did you expect?

[Guppy06]

It's just a threat. "A bomb might explode."

No. "A bomb will explode, at $location and $time." In each instance, a clear and specific threat was made, by someone claiming to be the perpetrator.

All of the users of this particular service.

No. The "service provider." Users of other anonymous mailers are unaffected, and these other anonymous mailers are still available to the affected parties.

Re:What did you expect?

[Nyder]

This is the same reason that cops have to go check out 911 hangup calls. Most likely, it was someone who dialed by accident and then said "oh shit" and hung up. If they try to dodge the problem by turning their cell phone off, or not answering, the cops will show up to see if everything is ok. If the cops just ignored the call, they'd be sued by everyone involved when it turns out that the caller was forced to hang up, or the wire was ripped out of the wall, by her violent husband or vice versa, and someone wound up dead.

actually, the 911 people call back to make sure it's not an accidental call before they send a police to check.

Re:What did you expect?

[NeverSuchBefore]

No. "A bomb will explode, at $location and $time." In each instance, a clear and specific threat was made, by someone claiming to be the perpetrator.

They do not know that a bomb will actually explode. I thought it would be plainly obvious what I was trying to say, but I guess not.

No. The "service provider."

Oh, okay. My stance on collective punishment remains the same, though.

Re:What did you expect?

[NeverSuchBefore]

By your definition, pointing a gun at someone's face (a/k/a "assault with a deadly weapon") isn't violence unless and until you pull the trigger?

Indeed it's not. But I also never said that pointing a gun at someone's face should be legal.

Congratulations, you've just found the difference between assault and battery.

He didn't mention anything about assault or battery. He just mentioned that threats are not the same as actual violence. Which I maintain is true. You brought up legal definitions, but they're irrelevant to what he said.

Re:What did you expect?

[Culture20]

legal definition

The law is not always right. What he said was correct. A threat is not the exact same thing as actual violence. Punching someone in the face is very clearly different than threatening to do so. In only one of those scenarios someone actually got punched in the face.

But in both of those cases, someone is hurt. Threats and menace are crimes because the fear of danger imposed upon the victim is psychological damage. Menace especially can lead to escalation of violence (in self defense) due to proximity.

Re:What did you expect?

[NeverSuchBefore]

But in both of those cases, someone is hurt.

It doesn't matter. That isn't what I (or I suspect he) was talking about. The harm caused by punching someone and threatening to punch them are fundamentally different (well, one might be mental harm, while the other might be mental and physical harm).

I wasn't saying threats shouldn't be against the law.

Re:What did you expect?

[Culture20]

can't the University of Pittsburgh and the Pittsburg police stop doing that and ignore the bomb threats, knowing that their leg is being pulled? [...] "The boy who cried wolf" should also come into play

There are two morals to the story of "The boy who cried wolf":
Don't consistently lie or you'll get eaten (the moral for children)
Sometimes, children's lies end up being the truth, so pay attention every time or they'll get eaten (the moral for adults)
If you want to discourage lying, punish the liars when they're caught, but don't ignore what seems like a lie because it might be the truth.

Re:What did you expect?

[NeverSuchBefore]

Maybe the problem is their constant evacuations? That's not to say that the person sending the threats has nothing to do with it... they do, quite a bit. But you can't react to every threat when it's this costly and there's a low probability that they will act (which, based on how many empty threats there have been, this seems to be true). But at the same time, I don't blame the university. We live in a lawsuit-happy society. It's a shame that people would sue others because they didn't react to something that was highly unlikely to begin with and win (and the person being sued didn't even do the damage to begin with).

Re:What did you expect?

[Sipper]

can't the University of Pittsburgh and the Pittsburg police stop doing that and ignore the bomb threats, knowing that their leg is being pulled? [...] "The boy who cried wolf" should also come into play

There are two morals to the story of "The boy who cried wolf":

Don't consistently lie or you'll get eaten (the moral for children)

Sometimes, children's lies end up being the truth, so pay attention every time or they'll get eaten (the moral for adults)

If you want to discourage lying, punish the liars when they're caught, but don't ignore what seems like a lie because it might be the truth.

Point taken. [Several others have essentially said the same thing, but I believe the above is the most succinct/eloquent statement of it.]

Re:What did you expect?

[LanMan04]

The University of Pittsburgh (which is down the street from where I work) has gotten multiple bomb threats per day every day for weeks now.

So just fucking ignore them.

How many false positives do you need before you realize this is a scam/prank/whatever?

Re:What did you expect?

[DdJ]

If they were a private business, they could.

As a university, they cannot, especialy after Virginia Tech. Go read what Schneier recently wrote on the topic.

Re:What did you expect?

[Obfuscant]

actually, the 911 people call back to make sure it's not an accidental call before they send a police to check.

I know. That's why I talked about the caller trying to dodge the problem by turning his cell phone off or not answering the phone. If he turns his phone off or doesn't answer, the dispatcher can't deal with the call without sending an officer.

Re:What did you expect?

[Thing+1]

You can't sue a school for being too careful [...]

Perhaps we should start. A spanner in the gears; "vote gridlock".

Re:What did you expect?

[Em+Adespoton]

That's just so original.... I bet you're living the life of Brian.

Re:What did you expect?

[gweihir]

FYI, we're not dealing with "the occasional bomb threat" here.

The University of Pittsburgh (which is down the street from where I work) has gotten multiple bomb threats per day every day for weeks now.

Well, if it was that many, correlation attacks on Mixmaster might just become possible and give them a clue were the messages came from. If they have a lot of traffic data for the Mixmaster net. Given the amount of snooping the US government does against its citizen, this just seems plausible.

I wonder however what they want with a single Mixmaster node. For that they would have to have a pattern of messages sent to the node as first hop that somehow matches the arriving messages at the target. Maybe the attackers are stupid and have some timestamps in there and the FBI found the message traffic to austria matching those.

The other option is that austria was an exit-node for some of the messages and they are now tracing it back. This would imply more compromised nodes in the near future.

It could also just be an attempt to stop the threats by intimidation or a plain, pre-planned harassment action that is only loosely connected to the bomb threats.

Time will tell. While not having read it, I am sure the Mixmaster docu warns that the message content of what you send can still be used to trace the messages to you.

Re:What did you expect?

[Goat+of+Death]

Actually, there is case law that went all the way to the Supreme Court that decided the cops indeed have absolutely no obligation to help you and cannot be sued for not showing up.

Two women heard a sexual assault going on in their building. They called the cops. No cops showed. The women heard the assault stop. They waited and figured the guy had left. They went downstairs to help the assaulted woman if they could. Turns out the guy had not left and proceeded to rape the would be saviors.

The good samaritan women sued the police force for not responding to the call. Several years and appeals later it reached the Supreme Court where it was affirmed that the cops are under no specific obligation to respond to any given call. Cops can freely ignore 911 calls if they so choose with no legal repercussions unless local statues are in place that say otherwise.

nonsense

[Tom]

More importantly: Unless the server operator was a total dofus, this brings them exactly zero steps towards resolving their problem, because this is exactly the kind of attack that Mixmasters was designed to withstand.

Idiots. Is nobody teaching these fools basics about the stuff they encounter?

Re:nonsense

More importantly: Unless the server operator was a total dofus, this brings them exactly zero steps towards resolving their problem, because this is exactly the kind of attack that Mixmasters was designed to withstand.

Idiots. Is nobody teaching these fools basics about the stuff they encounter?

I hate to defend them, but look at it from the FBI's point of view. Maybe the server operator was a total - or even a partial - doofus. The Feds would be even bigger doofuses (as in, negligent in their) to assume otherwise and not investigate the server. That's their job.

Re:nonsense

[tibit]

So, they really need a whole big stinkin' server? If you're a professional, you'd switch the server to single user mode, dump the drive contents to a portable drive, reboot the server, and be on your merry way. If they have proper forensic data analysis tools, they should be able to deal with all popular raid arrays out there, so given those you shut the server down, use a portable disk imager to copy the drives, you then replace the drives, power the server back up, and are on your merry way. I just don't get what they need the server itself for. They are after the data, not the hardware.

Re:nonsense

[Em+Adespoton]

Have you ever done data forensics? The first thing you learn is that it's not the same data if it's not on the original storage medium.

Of course, what they SHOULD be able to do is shut the server down, clone the drive, pull the drive that has the warrant, and drop in the cloned drive. Of course, this requires cooperation with the victim, which obviously wasn't available in this case.

To put it another way: they weren't after the hardware OR the data, they were after the incriminating evidence. Data by itself is hearsay (no way to prove beyond a shadow of a doubt that it was preserved in the same state and context).

Re:nonsense

[Burning1]

I suspect they wanted the drives themselves for analysis - makes it possible to look for deleted or over-written information that might not exist on a duplicated disk.

Re:nonsense

[cpu6502]

>>>I just don't get what they need the server itself for. They are after the data, not the hardware.

Likewise the Russian government doesn't need to grab servers in order to investigate claims of "illegally-copied software", but they do it anyway in order to shut down groups that are critical of government. The FBI is simply employing the same tactic to silence human rights groups (many of which are critical of the Congress) under the cover of an "investigation". Two birds killed with one warrant.

Re:nonsense

[Guppy06]

If you're a professional, you'd switch the server to single user mode, dump the drive contents to a portable drive, reboot the server, and be on your merry way.

If you're a professional, you don't assume that the system isn't rigged to destroy evidence in the event of an attempted seizure.

"On site" and "controlled environment" are mutually exclusive.

Re:nonsense

[mysidia]

To parrot another response, there's also data on RAM that could have valuable info if they didn't shut down the machines.

Perhaps if they ever come to prosecute someone, the defense can show how the investigative agents willfully destroyed evidence required for the defense by powering off the server and left it powered off for hours, resulting in data being permanently lost from RAM.

Re:nonsense

[mysidia]

If you're a professional, you don't assume that the system isn't rigged to destroy evidence in the event of an attempted seizure.

That can happen at a physical layer too. The chassis can be altered so that if an entry procedure is not followed, a data-destruct occurs if there is a chassis intrusion or if the chassis is moved.

This can be done by installing an interposer circuit in between disk drives and the drive controller with an independent power supply.

If a "destruct" event occurs; the independent battery powers up the disk drives, locks in ATA Secure Erase Mode, and detonates an explosive charge of just sufficient strength to shatter the glass plates in the hard drives.

Anyways... if the volume decryption key is rendered unusuable by 1 second of ATA Secure erase, there is no opportunity at all to interrupt the process.

Re:nonsense

[evil_aaronm]

"Wasn't available in this case." Oh, I'm sure it was available. The FBI is just carrying on its proud tradition of not giving a fuck. It's more "bad ass" that way. In fact, I can see agents rehearsing in the mirror: "That's right, mofo, I'm takin' it. Whatcha gonna do about it... Punk?"

Re:nonsense

How do you know they powered it down?

It is possible to switch the power supply to something portable and move it while still powered on.

Re:nonsense

[BronsCon]

the FBI have equipment that can clone disks without needing to even apply power to the drive.

Then they're in the wrong business. They need to start producing and selling these ultra-efficient disks that don't require power for read operations. Imagine the battery life on your laptop running one of THOSE!

Re:nonsense

[RollingThunder]

Agreed. A number of forensic power supplies exist, ranging from full-PC units to ones that just manage the hard drive, and can be engaged without interrupting power.

Re:nonsense

[dondelelcaro]

If you're a professional, you'd switch the server to single user mode, dump the drive contents to a portable drive, reboot the server, and be on your merry way.

And if you were really a professional, you'd get a search warrant for a complete wiretap on the server, and track all packets coming in and out. You might also compromise the machine so you could obtain all of the unecrypted traffic entering and exiting the machine. But the FBI apparently isn't that smart.

Re:nonsense

[bmo]

makes it possible to look for deleted or over-written information that might not exist on a duplicated disk.

Deleted stuff is never erased, just marked as "free space" by the OS.

Overwritten data, these days, is unrecoverable, even if only overwritten once. There has not been a single criminal case that I can remember where data was overwritten and then recovered on modern drives. The standard of multiple overwrites for true erasure is from the days when disks were physically huge, and the recorded area was huge, and head alignment wasn't always the greatest thing in the world.

Go read the epilogue to Peter Gutmann's paper

http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

A simple dd of the original drives would have given investigators all the information that was available, including deleted files.

--
BMO

Re:nonsense

[tibit]

Yeah, but the AC above does have a point:

...it detects that you're not the usual sysadmin and silently wipes all logs.

You need to choose a level of paranoia. If you really think that there's so much going on that there's anything useful in the RAM of the server, then it's not a long shot to assume that if said server detects that both gigabit links on the back are down, it may as well wipe stuff.

IOW: there's no ideal, realistic solution. If you assume that the sysadmin was paranoid to the point of encrypting all the data and the keys being only in RAM, then it's fair deal to assume that the data is lost as soon as you start tweaking things, even moving the server while powered up.

If you assume, like on every normal server out there, that RAM contents are of no importance, then probably it's safe to assume that single-user mode operates as designed, and it can be used to get the data off the drives in spite of not having a proper tool to directly read the drives that are a part of hardware RAID (like they'd likely to be). If you don't know the passwords, then of course single user mode is out anyway, and you have to reboot to your recovery medium of choice and use that to dump the drives; most RAID out there would be handled by any recent linux recovery disk so you'd get access to drive contents.

Alas, professionals would have forensic data recovery software available, so there's no point in not pressing the power button, waiting for the shutdown (or even forcibly cutting power), then imaging the drives and dealing with reconstructing it once you're back in the office.

Re:nonsense

[tibit]

The first thing you learn is that it's not the same data if it's not on the original storage medium.

Since, obviously, the data cares very much what medium it's on, and bits may start looking all worried at you if you copy them. You get the original drive, use a disk imager to obtain the digital signature of original contents (the private key and the signing engine is in a tamperproof chip inside the imager), make an image, get the signature on the image, sign the affidavits, and be good and done.

Re:nonsense

[tibit]

There is no such thing and hasn't been for more than a decade. It's a legend that was once true: in times of MFM and RLL drives, and early PRML drives. Nobody offers such analysis, feel free to prove me wrong by providing someone who would quote it for any hard drive that was shipped in the last decade. The quote would be for data recovery after the drive was overwritten precisely once with zeroes.

Re:nonsense

[Obfuscant]

Since, obviously, the data cares very much what medium it's on, and bits may start looking all worried at you if you copy them.

Stop being deliberately silly.

You get the original drive,

Which you will have to preserve in its original state as closely as possible, to the point that you might not even bother with a "clean shutdown" because the shutdown code could be rigged to wipe evidence. Yes, you perform the analysis on a signed copy, but you still need to keep the original to provide to the defense experts who will do their own imaging/signing/analysis.

If the prosecution cannot prove to the court that their analysis was on the actual data, it will be thrown out. So, yes, in very real terms, it's not the same data if it isn't on the original medium.

Re:nonsense

[Obfuscant]

This can be done by installing an interposer circuit in between disk drives and the drive controller with an independent power supply.

This requires a bit more work than simply putting code in one file in /etc/init.d under the "stop" function, called by one of the K-files in rc3.d, that deletes any incriminating files. Shutdown code is a lot less dangerous than having to deal with explosive charges. And if triggered by accident, doesn't leave a slag heap or shrapnel.

When explosive charges in confiscated servers becomes a significant issue, cops will start treating every confiscated server like it has explosive charges. "Modify disk on shutdown" is so easy to do that they have to assume it will be, and thus treat the server like it will do that. Pull the plug instead of clean shutdown, e.g..

Re:nonsense

[the+eric+conspiracy]

Wrong.

"Mark Johnson, a digital forensics contractor for ManTech International who works for the Armyâ(TM)s Computer Crime Investigative Unit, examined an image of Manningâ(TM)s personal MacBook Pro and said he found 14 to 15 pages of chats in unallocated space on the hard drive that were discussions of unspecified government info between Manning and a person believed to be Assange, which specifically made a reference to re-sending info."

"Johnson testified that he found two attempts to delete data on Manningâ(TM)s laptop. Sometime in January 2010, the computerâ(TM)s OS was re-installed, deleting information prior to that time. Then, on or around Jan. 31, someone attempted to erase the drive by doing whatâ(TM)s called a âoezerofillâ â" a process of overwriting data with zeroes. Whoever initiated the process chose an option for overwriting the data 35 times â" a high-security option that results in thorough deletion â" but that operation was canceled. Later, the operation was initiated again, but the person chose the option to overwrite the information only once â" a much less secure and less thorough option.

All the data that Johnson was able to retrieve from un-allocated space came after that overwrite, he said.

http://www.wired.com/threatlevel/2011/12/manning-assange-laptop/

Re:nonsense

[the+eric+conspiracy]

Forensic investigation of a computer includes a capture of the machine's memory, not just the drive contents.

Re:nonsense

[eggstasy]

Do you even read what you write? The data came after the overwrite, meaning, it was written there again after the multiple zerofills.
On top of what the parent posters said about sector size etc. we have the fact that bits are perpendicular to the platter nowadays.

Re:nonsense

[the+eric+conspiracy]

So why are they saying a single overwrite is less secure?

Re:nonsense

[qubezz]

Another fucking idiot. Can't we IP ban stupidity? You put the key for hardware encryption on the drive so that you can erase 4096 bits and render the whole drive completely unreadable forever.

Re:nonsense

[tibit]

You misunderstood what the cited article was saying. First of all, the article was essentially hearsay - a story of what Johnson said, retold by someone who didn't have much clue. Yet, obviously, nowhere did they say that they used magnetic force microscopy to recover data from the platters, as that would be the only technology that would have a chance (except, these days, it doesn't). All they did was a regular read from the drive and found some sectors that the zero-fill didn't overwrite. What happened, most likely, was that the zero-fill was only attempted on areas declared unallocated by the filesystem. Such areas are necessarily declared conservatively -- you should never trust a free-space erase on a mounted filesystem, and that's what seems to have happened here.

Nowhere does the article disagree with what I'm saying, because, again, the legend of recovering the data from a zeroed-out hard drive is at this time nothing more. If you're lucky as in winning the lotto jackpot, and you're looking for very small amounts of data (say cryptographic keys), you may be able to recover useful error-correctable data from sectors that got reallocated because they started to fail. This doesn't require opening up the drive, merely gaining access to it via the factory/manufacturer mechanisms (there are software tools for that), so that you can read any sector, whether mapped into the space accessible via regular ATA data access calls or not. That's a slim chance, but if you're after a key or other short blurb, it's a low-hanging fruit -- and yes, in that case you need original drive, not an image.

The deal with the drive you cite was as follows: it never got fully overwritten with zeroes. Was that the case, you'd never read about any large (more than dozens or hundreds randomly scattered sectors worth) data coming off of it, because, again, it's not possible anymore. If you want to overwrite a drive, you boot a DBAN CD/dongle and do it. One set of zeroes is enough. If you really worry about the few tens of nanometers worth of possibly relevant domains left over "between" the tracks, you can always overwrite it a couple times; I'd think thrice with random data plus once with zeroes is enough. You don't muck around with free-space overwriting, OS reinstallation, or anything of that sort.

I think I posted something about it once somewhere where I argued that "obviously it's possible duh duh" -- I used to believe it until I looked at a honest-to-goodness drive platters with a magnetic force microscope. Even at a highest magnification, where a single pixel is a few nanometers across, you can't see anything but random hash "between" the tracks. At such magnification, the individual bits are huge, and any remnants would be quite obvious. They were very obvious in times of early PRML drives and before that. That time is long gone. Thus, an obvious tip: don't store sensitive data on old hard drives (say early IDE drives).

Re:nonsense

[Beryllium+Sphere(tm)]

If that were correct then backups would not be admissible evidence. They are.

Re:nonsense

[MiG82au]

I love it when I learn something obscure from Slashdot comments. Thanks.

Re:nonsense

[Leebert]

No. That's why the standard for conviction is "reasonable doubt".

Re:nonsense

[lightknight]

Magnetic domains. The data forensic's kids have this idea (it may or may not be true) that when bits are flipped, some random atoms that make up that bit do not flip. I.e. the majority will flip, but some may not. As such, it is possible to extract previously written data by reading the 'minority report' of the data on the disk (I assume they extract all possible minority reports per bit, then try to match the file checksum; if / when it matches, there is a fair chance they've recovered the original file).

Supposedly, using a SSD prevents them from doing this. But who knows: the data forensics field is, from what I can tell, filled with spooks, con-men, and scammers of every color. As such, it's hard to tell when someone actually 'found' something that 1.) wasn't placed there by a crooked member of the recovery team (no one is above corruption), and 2.) it's not the interrogator bluffing for more than he's worth (99% of all cases, I imagine).

Still, it would explain the CIA's paranoid approach to hard drive disposal (grind it, melt it, etc.).

Re:nonsense

[bmo]

Forensic investigation of a computer includes a capture of the machine's memory,

But that doesn't mean you need to walk away with the whole machine. Unplugging it and carrying it out the door does nothing for preservation of data in DRAM, which needs power to refresh memory. You can yank the RAM out and put it in dry ice to keep things from discharging too quickly, but you are under a pretty strict clock to get the RAM unplugged and into the analysis machine on the crash cart. If you physically unplug the entire server and cart it out the door, you've lost whatever data that was in RAM by the time you reach the truck door.

Taking the entire server or rack of machines is nothing but intimidation.

--
BMO

Re:nonsense

[lightknight]

Forget to answer your question -> multiple overwrites, greater chance of getting those bit stragglers that refused to flip the previous times.

I prefer the paranoid approach: just don't store anything supremely dangerous on a computer. Take the CIA's approach -> anything important is stored in people's heads only. And by people, I mean your head, and your head alone. And don't tell anyone about it. Sadly, it's the only safe thing you can do, as the Supreme Court has repeatedly failed to uphold your hypothetical right to privacy (and people looking for stuff won't care about that either -> they work on the mentality that it's only illegal if they get caught).

Re:nonsense

[Leebert]

If that were correct then backups would not be admissible evidence. They are.

Welcome to Criminal Justice 101.

Your first homework assignment is to read this:

http://en.wikipedia.org/wiki/Best_evidence_rule

Spoiler alert: Doing it is possible, but only in certain circumstances and it raises questions that you'd rather avoid as a prosecution. So they don't do it if they don't have to.

(If it sounds snarky, I didn't mean to be. Trying to be funny but also informative...)

Re:nonsense

[mysidia]

This requires a bit more work than simply putting code in one file in /etc/init.d under the "stop" function, called by one of the K-files in rc3.d, that deletes any incriminating files. Shutdown code is a lot less dangerous than having to deal with explosive charges.

It's rather unlikely. Servers get rebooted all the time. There is a much simpler method: utilize full-drive encryption. When power is pulled, or a reboot occurs, the secured media becomes unreadable until actions are taken to decrypt and load encryption keys back into RAM and remount the secured volume -- then "pull the plug" as you suggest is destruction of evidence. The owner of the server may have a secret USB stick somewhere that is required to boot the server. Upon hearing that their server's are being seized, they go to their covert secure location, grab the USB stick and the backup stick, toss it them both a microwave, give it a good nuke, and then throw it in a dumpster somewhere. The servers' data is now impossible to recover.

When explosive charges in confiscated servers becomes a significant issue, cops will start treating every confiscated server like it has explosive charges.

The point is there are millions of possible methods of a server containing a data "self-destruct" mechanism, whether mechanical or logical; whether overt action is required by some mechanism, or the failure for some action to occur results in data becoming inaccessible. The practice that protects against one method ensures destruction of the data if a different method was used.

If the server has unknown secured mechanisms for destroying the data, such as carefully attuned exploding charges/break the drive, or douse the disks in destructive acid, or logical methods, there's very little that can be done about that.

Re:nonsense

[bmo]

It overwrites the file multiple times if necessary before optionally deleting it. As far as I know, shred is part of standard Linux so you should have it too.

There is another tool you might like, and that's bcwipe.

It does shred, but it also wipes free space on currently mounted drives.

Jetico's bcwipe is open source and cost-free for *nix if you compile it yourself (it's *not* GPL or Free/Libre).

I like it. I use it often.

--
BMO

Re:nonsense

[Cabriel]

Intended side effect: The server operator may be more more willing in the future to censor who uses his remailer for what purposes. Hey, if it becomes obvious that some dickweed is going to cause your remailing business* to be impeded, you might be willing to do something about it.

"What?" you say. "Do something responsible? Perish the thought."

*I don't know if the operator of the remailer was making any money from it. If he wasn't, then he was operating it for some reason, and that reason could be impeded by his server being raided in meatspace.

Re:nonsense

[Tom]

The server operator may be more more willing in the future to censor who uses his remailer for what purposes.

Except that he can't. It's an anonymous remailer, even to the operator. That's kind of the whole point.

Am I getting old when I look back and remember that there were times when people on /. generally knew what the heck they were talking about?

*I don't know if the operator of the remailer was making any money from it.

You could know if you'd know anything about remailing. The operator didn't make any money from it, because there is no way that you can. Since it is (I'm repeating myself here) an anonymous remailer, you simply wouldn't know where to send the bills. And since the mails are encrypted, you can't add any advertisement into them, either.

Re:nonsense

[Tom]

All that happens is the next jerk who wants to send threats uses another anonymous service, this time in a different country.

Not even that. He'll simply use a different chain of remailers. If he selected the chain randomly (which is recommended anyways), he won't even notice.

Re:nonsense

[Tom]

That can happen at a physical layer too.

But not in a shared server provided by the hosting company. ;-)

Re:nonsense

[Tom]

They just have to cause enough people who provide these services financial, legal and psychological hardship to deter them from even running such servers.

True, but then you forget that these are freedom-loving communist hippies. Chances are that you've just caused half a dozen people who were on the edge to start running a remailer.

Not like it hasn't happened before...

Re:nonsense

[mrogers]

Unless the server operator was a total dofus, this brings them exactly zero steps towards resolving their problem, because this is exactly the kind of attack that Mixmasters was designed to withstand.

I'm not sure you're right about that. Unlike the more recent Mixminion design, Mixmaster doesn't provide forward secrecy. Each mix uses a long-term public/private key pair. To send a message anonymously, you encrypt it with the public key of each mix you want it to pass through, and each mix uses its own private key to remove a layer of encryption. The last mix in the chain removes the last layer of encryption and delivers the message to its destination. The mixes carry on using the same key pairs indefinitely.

Now imagine you have the wiretapping and server-seizing powers of the FBI and you want to trace a message. You wiretap all the mixes and record the encrypted messages passing between them. When an unencrypted bomb threat pops out of one of the mixes, you seize that mix and use its private key to decrypt all the messages you recorded arriving at that mix. One of them decrypts to the bomb threat. You seize whichever mix that message came from and repeat.

This attack has been known about ten years, which is why Mixminion changes its key pair periodically and uses TLS on the connections between mixes. But remailers don't get much attention these days, so it seems people are still using Mixmaster.

TL;DR: You can trace messages by seizing Mixmaster servers. Expect more servers to be seized in the coming days.

Re:nonsense

[allo]

and its quite useless, if you're using a journaled filesystem.

Re:nonsense

[allo]

so you say, when i write a file (if you want to, with all zeros, but this shouldn't matter for that issue), i can not assume its on the disk like it wrote it?

okay, disk manufacturers say there is a 1e-10 chance or something of a bit not being written correctly, but this is low enough ... ... to provide that all my files are written the way they should be ... one single erase is enough. when one or two bits are left, they cannot contain anything like an evidence, as every evidence clearly needs more than two bit of information.

Re:nonsense

[lightknight]

Each bit, on a hard disk, is made up of a number of atoms. When the majority of them are magnetically oriented one way they read as a 1, and when they are oriented another, they read as a 0. When you write something, the majority of atoms, for that bit, flip. If you read in a series of those bits with a standard program, they will read back exactly what you wrote.

Now, assume someone has your hard drive in a clean room. They take off the lid, and use a very sensitive head to read all the atoms that make up each bit. The majority of them will say whatever you last wrote there, but a small handful will still say what they were from the write previous to that one. Digital is implemented on top of analog devices. Perhaps the drive head was a little closer to the spindle on the previous write, perhaps a little further out. At which point, 90% of the track will have the most recent file, and 10% of the track will have the second most recent file. Got it? Due to the way things work, the past several recent files may be recovered.

It's not one or two bits. It's several atoms per bit. And when you factor in file checksums (every operating system implements something that could work here, as well as the hardware level checksums), you have a more than fair chance at recovering some data. Hypothetically, anyway.

   

Re:nonsense

[fafaforza]

So do you honestly want the FBI to tell the people they are investigating that they will be coming in one hour to seize their system? Hope you have enough time to remove anything you might not want us to see? The amount of anti FBI venom on here is really grating, simply because it has to do with a computer.

Re:nonsense

[bky1701]

"Deleted stuff is never erased, just marked as "free space" by the OS."

On some filesystems, that is enough to make the data unrecoverable. Just not the more common ones like NTFS and EXTn.

Re:nonsense

[evil_aaronm]

No, the proposition was that the FBI simply could not avoid taking the entire machine with them. That's baloney. And they didn't need to provide any further warning for the raid, either. It's simple: Walk in unannounced, seize the machine, dupe the drive, put the new one in, take the original, machine is back in business. This is not exceptionally onerous for the FBI. We in the real world do it all the time. They just don't care about the people they raid, or collateral damage. I'm gonna say that's because there's practically no accountability. What is a sys-admin to do when the FBI shows up and takes the entire machine? Exactly: stand there and watch, and hope they don't shoot you, taze you, or arrest you for resisting arrest.

And it's nothing to do with taking the computer that rubs some of us the wrong way: it's the total authoritarian attitude and behavior from the FBI. S'pose anyone could call up and ask for that machine back, or any further information about the investigation? Good luck with that. America fought against that shit when it came from King George. Why should we tolerate it any better when it's internal? It's still wrong.

Re:nonsense

[tibit]

You're welcome. I have learned a bunch of stuff here as well. As far as non recoverability of zeroed-out data goes, nothing really beats a modern hard drive. Personally I think drive-level encryption in the drive can't be trusted for non-recoverability because I'm sure they can store the key somewhere where the informed governments can read it, it's not hard to hide it well enough. So, basically, there's no way to audit an encrypted hard drive to ensure there's no backdoor to the cryptographic key, so it can't be trusted for non-recoverability. Heck, there are many drives that store the plaintext password to the key, and there are even free tools that can recover that for some drive families! Then there are non-free tools that run a couple $k that recover that for most any drive out there, so it makes a bit of a joke of the whole on-drive-encryption thing.

Re:nonsense

[LanMan04]

Have you ever done data forensics? The first thing you learn is that it's not the same data if it's not on the original storage medium.

As a matter of fact, yes I have. The the first thing you do is clone the drive to as close to an identical drive as you have and then work on THAT, using a write-blocker.

What, do you sit around combing through the ORIGINAL drive with EnCase using a write-blocker all day? What happens when the original drive goes tits up due to you banging on it all day? It should be sitting in an evidence locker.

This discussion excluded SSDs, which do all kinds of wonky shit in the background that not even a write-blocker can protect you from...

Re:nonsense

[EdwinFreed]

This approach only works if the messages continue to be sent using the same mix. Which given all the publicity this has gotten and how these sorts of crazies tend to monitor every reference they get in the media, seems very unlikely.

More specifically, they've seized one server, presumably after monitoring it for some time and capturing all the incoming messages. Now they use the private key to re-encrypt the message and look for a match among the incoming traffic. Assuming that traffic wasn't sent using a TLS mechanism with perfect forward secrecy, they now have the IP address of the next to last server in the mix. But what they don't have is any recordings of the traffic getting to that server. And unless the person sending these messages sends some more using the same mix, they will never be able to catch any.

I supppose it's possible that after monitoring the traffic, they also started monitoring traffic coming in to every host that ever sent this system mail. But I'm dubious of the practicality of that, both in the legal and technical sense.

What they should have done is use one of those handy-dandy national security letters or whatever they are called to gain access to the server in secret. They could have pried the private key loose that way, then initiated monitoring on the next server up the chain, another letter, and so on.

Of course this also falls apart if one of the servers is some place that doesn't like the US and won't honor requests from US law enforcement.

Re:nonsense

[Obfuscant]

It's rather unlikely. Servers get rebooted all the time. There is a much simpler method: utilize full-drive encryption.

Adding a step to the shutdown process is simple, it's trivial to install, and it's trivial to turn off if you need to reboot. You can install something like that remotely -- you don't even have to have physical access to the system, and you can do it to a virtual machine without causing any harm to any other user of the physical hardware. You can't be forced to turn over a key to an encrypted file or disk if there is no file to decrypt, and there is no incriminating encrypted data to make the cops curious.

The point is there are millions of possible methods of a server containing a data "self-destruct" mechanism,

Yes, there are, but just like everday life where there are millions of possible things you could have for lunch, there is a much more limited number of highly likely possibilities. It is extremely unlikely that anyone will install a system in a datacenter that contains explosive devices to turn the system into shrapnel if a network cable is disconnected. The triviality of a shutdown-based 'shred' command makes it much more likely.

If the server has unknown secured mechanisms for destroying the data, such as carefully attuned exploding charges/break the drive, or douse the disks in destructive acid, or logical methods, there's very little that can be done about that.

Oh, well then. Since it is very hard to defeat an explosive self-destruct, lets not bother doing anything to try to keep any other means of deleting data from happening. We might as well do a clean shutdown and let what happens happen. Or we might as well just ask the owner to pretty please make us a backup copy of all his files so we can look at them, right?

Re:nonsense

[bmo]

By the way, Ku:rt of Hungary will recover anything bitish from anything IT if you have the money - burning, hammering, grinding, magnetizing are no obstacle.

Really? They defeat the laws of physics when you have heated the platters above the Curie point they can get the data back?

If I grind the oxide off, they can put the oxide back on?

They can reconstruct the platters after I've shattered them with a .45ACP?

How come the entire world doesn't know this?

--
BMO

Re:nonsense

[mrogers]

This case is unusual in that there's been a long series of bomb threats - they could easily have started monitoring all known remailers a week ago. But I wouldn't be surprised if they had all known remailers under surveillance all the time - especially since they know that's necessary if they want to trace a message at any time in the future.

What they should have done is use one of those handy-dandy national security letters or whatever they are called to gain access to the server in secret. They could have pried the private key loose that way, then initiated monitoring on the next server up the chain, another letter, and so on.

Interesting point - I wonder if they though the Riseup admins would blow the whistle and go to jail.

Of course this also falls apart if one of the servers is some place that doesn't like the US and won't honor requests from US law enforcement.

True. Watching this unfold could be an interesting lesson in the international reach (or not) of wiretap and seizure orders.

Re:nonsense

[bmo]

He came out and basically said that company can perform magic. It was bullshit.

>me being an asshole

*holds up mirror*

I have said before, get an account here, set your foe settings to -6 and foe me. It's one of the better Slashdot tools. You get the benefit of not ever seeing one of my posts ever again.

But that is apparently too complicated for you.

--
BMO

Re:nonsense

[allo]

show me someone, who says he can do this.

Re:nonsense

[mysidia]

Adding a step to the shutdown process is simple, it's trivial to install, and it's trivial to turn off if you need to reboot.

You don't necessarily control all reboots. Reboots sometimes are a result of application or OS failure, for example the INIT process receives a SIGINT signal. Under certain circumstances system management applications will issue reboot as an automatic response to a problem.

It is extremely unlikely that anyone will install a system in a datacenter that contains explosive devices to turn the system into shrapnel if a network cable is disconnected.

It's neither necessary nor likely that someone stuffs a server with a charge sufficient to turn the server into shrapnel; they only need the disk drive coated with enough material to destroy the drive inside the chassis, and extra shielding around the disk drive cage. If there was a risk of the server becoming shrapnel, this could endanger the server operator, and create unwanted risks, loss, and liability, should it accidentally be engaged.
A mechanism to destroy the hard drives should effect the hard drives but no other system components.

Also, there are self-destroying drives on the market.

Re:nonsense

[holdenweb]

The point of the action wasn't necessarily to gain intelligence from a forensic analysis, but to inconvenience a perceived "enemy of the state" and serve as a warning to others who are contemplating similar activities.

Re:nonsense

[holdenweb]

You do realize, I suppose, that by "switching the server to single-user mode" you destroy valuable forensic data? The correct procedure in such forensic investigations is to first capture all the non-volatile data (primarily RAM-based), then to REMOVE POWER (pull the plug from a server, remove the battery from a laptop). Only that way can you avoid shut-down procedures deleting further valuable information from the disk. Then you image the disk, take the original drive as evidence and (assuming you give a shit about the continued operation of the system, which the FBI clearly don't) leave the system with the copy. This assumes, of course, that you have the legal right to sieze property. This should require a warrant, which is supposed to allow judicial supervision. Sadly the judiciary are closely aligned with law-enforcement and extremely badly informed about IT, so a warrant isn't difficult to obtain.

Re:nonsense

[Em+Adespoton]

Indeed. My point was talking about the evidence, not talking about corrupting the original drive by poking around in it unnecessarily. You don't just image the drive and let the GP keep on using it, like the GP was suggesting (this story is about confiscating the drives having residual effects).

Re:nonsense

[gweihir]

Depends on the amount of traffic data they have for the Mixmaster network. Apparently a lot of bomb threats are sent by these people. That could make correlation attacks on the Mixmaster network possible. In this case, this raid would have been about gathering evidence.

However, if that is the case, I am wondering why they did not compromise a lot more Mixmaster nodes. A single node seem not very useful, unless they found a pattern that looks like it was first-in-chain. Even then, going after the sender directly would have been better, because they are now alerted. Maybe somebody with some kind of semi-knowledge of how Mixmaster works made that decision.

Re:nonsense

[gweihir]

The server operator may be more more willing in the future to censor who uses his remailer for what purposes.

Except that he can't. It's an anonymous remailer, even to the operator. That's kind of the whole point.

Am I getting old when I look back and remember that there were times when people on /. generally knew what the heck they were talking about?

Seems to be getting worse lately (last few years). My impression is that CS studies have been massively dumbed down over the last two decades. Maybe CS is getting to hard to understand with the CS education younger people are getting at universities.

Re:nonsense

[gweihir]

Oops, cut a quotation mark too many. Up to "generally knew what the heck they were talking about?" it is supposed to be quoted.

Re:nonsense

[hendrikboom]

then it's possible to recover previously written data even after it's been overwritten, because erasure isn't complete, the heads weren't perfectly aligned so only most of the signal for each bit was overwritten, There's still a trace of the original magnetism slightly biasing the new, etc.m all of which will not be present in the copy. Serious forensics can tease out this stiff. There's a reason why security erasure is a bigger deal than just reusing space.

Re:nonsense

[hendrikboom]

Sorry. Other posts make it clear that that's no longer practical on modern, state-of-the-art drives. I stand corrected.

Damn you George Bush!

[Vinegar+Joe]

I can't wait for the elections to come!

Re:Damn you George Bush!

Whoosh.

Re:Damn you George Bush!

[darthdavid]

The whoosh you heard was the joke going over your head.

Re:Damn you George Bush!

[Threni]

To be fair, it wasn't remotely funny; it was more a sort of a flaccid, farting sound.

Re:Damn you George Bush!

[cpu6502]

Damn you Mitt Romney!
(I come from the future.)

Re:Damn you George Bush!

[darthdavid]

So more of a thppt than a woosh?

Re:Damn you George Bush!

[PRMan]

I simply don't get this comment....If Obama was the god of freedom that Leftists claim, he would have overturned the over-extending post-911 policies of the Bush Administration such as the Patriot Act instead of reveling in them and expanding them like many non-liberals warned that he would.

And you said you didn't get the joke...

Re:Damn you George Bush!

[TapeCutter]

C'mon, who are you trying to kid, we all know the POTUS is emporer of planet Earth.

Re:Damn you George Bush!

[evil_aaronm]

If you don't totally support our efforts to make China and North Korea look like bastions of freedom in comparison, then you must be a terrorist! There is no in between, citizen! Why do you hate America?

/snark

Re:Damn you George Bush!

[evil_aaronm]

Who needs legislation when the Pres has Executive Orders and legal council that will parse those orders 10 ways cubed to justify, if not make it look like the very definition of the "American Ideal" when, in fact, he's shitting on the Constitution? Remember "water boarding"? Was there any legislation for that? How about "extraordinary rendition"? "Free speech zones"?

Re:Damn you George Bush!

[bmo]

10 ways cubed

That's only a thousand.

--
BMO

Not New

[jimmerz28]

Whenever they take servers "down" it's like a ogre killing a spider with a tree trunk. They smash the table, furniture, and destroy the house along with the poor spider.

Re:Not New

don't worry the spider will not be harmed it will walk out between the debris and find a new place to hide...

Re:Not New

[JonySuede]

But the disgusting spider is dead !
Most of the time it's all that they need to know.

Re:Not New

[Kjella]

You're assuming the message was for the spider and not for everyone who has a spider in their house. And the message is that if you carry a service we don't like, we'll make sure to inflict as much damage as possible when we come for it. You get a pretty good self-censoring effect out of it. Same reason TOR doesn't scale very well, you'd have to be mildly insane to run an exit node as a private person.

Re:Not New

[gweihir]

They did not take the server down, just made a forensic copy. Basically that means a sector-image.

Re:Not New

[jimmerz28]

Hence the quotations around '"down"'.

Mass disruption

This is the stage in CISPA legislation where they try to win over people by pointing out, "Look, everyone got disrupted so we could find one user. If the service would just share information with the Government..." These disruptions aren't necessary. If the government wants to scrounge through logs they can do so while the servers are running. Who are the judges approving all these stupid warrants?

Re:Mass disruption

[evil_aaronm]

Well, hell, in that case, let's nuke NYC, LA, DC, Detroit, etc. There's gotta be more than a few criminals in those towns. Sucks for the collateral damage, but, you know, gotta weed out those bad guys. They probably hate America, too, so all the more reason.

So someone sends some bomb threats ..

[n5vb]

..and the FBI seizes the server they used?

Anyone else think this is more believable as a denial of service attack, or as a pretext for taking down a troublesome server they couldn't legally seize by any other means, than as an actual threat?

Unless the person sending them was stupid enough to think that a remailer would protect them from ever being caught, and didn't care that it was going to mean taking down the whole service for everyone else using it..

Re:So someone sends some bomb threats ..

[Guppy06]

Unless the person sending them was stupid enough to think that a remailer would protect them from ever being caught, and didn't care that it was going to mean taking down the whole service for everyone else using it..

And you've just answered your own question! Don't worry, though, as I'm sure that this remailer was only the first of his Seven Proxies.

New to the internet much? People are stupid.

Besides, you're assuming that the perpetrator is both smart enough to be using this as a sideways method of getting the servers taken down and yet stupid enough to do it by way of a major felony that will practically land your ass in Gitmo if it goes wrong.

Re:So someone sends some bomb threats ..

[Zorque]

Whoever it was didn't care that they were disrupting people's lives by having their classes cancelled over and over (and over, and over, and over. It was a continuous and practically psychotic series of threats), so of course they didn't care about getting a remailer taken down. I've spoken with people who live on campus there and the person sending the threats is clearly unstable at best.

Re:So someone sends some bomb threats ..

[the+eric+conspiracy]

Any decent ISP will have a backup and have the service up and running again forthwith.

If the customers are truly disrupted by this they would also be by any number of possible issues including something as basic as a drive going bad.

Re:So someone sends some bomb threats ..

[WrecklessSandwich]

See this comment for some clarification on the situation. It's not "some" bomb threats, it's over one hundred bomb threats against specific buildings at a university with 28,000 students. They threaten academic buildings during class hours. They send in threats for dorm buildings in the middle of the night so that everyone has to be woken up and evacuated. They even sent a bomb threat to the hospital on campus, causing all of the patients to have to be evacuated. This is absolutely not some kind of convoluted plot to get a server shut down.

Can You Say False Flag Opp?

[msaroff]

Someone bosts a gazillion bomb threats, and computers associated with OWS and other protests get seized.

Awfully convenient.

Any guess as to whether the bomb threats can be traced back th Langley or Ft. Meade?

Re:Can You Say False Flag Opp?

[WrecklessSandwich]

Someone bosts a gazillion bomb threats, and computers associated with OWS and other protests get seized.

Awfully convenient.

Any guess as to whether the bomb threats can be traced back th Langley or Ft. Meade?

Put down your tinfoil hat. This person has more or less paralyzed a major university campus for an entire semester and the FBI barely has anything to go on. They already subpoenaed/questioned/arrested everyone they can find that's had a major quarrel with the school in recent memory (and one nutjob from the 80s). They're grasping at straws with the remailer services they know were used because they don't have any other leads and finals week is coming up.

While we're at it, TFA is pretty vague on the facts. Riseup calls the seizure "an attack against us", when the seized server was owned and operated by ECN. At the same time, the top of the page says "Riseup had a server seized by the US Federal Authorities". Either these groups are more closely related than their press release makes clear, or they're being deliberately misleading. It also doesn't help their credibility that they clearly state that the FBI had a warrant (which, being a warrant, is signed by a judge), and then they turn around and call it an "extra-judicial punishment". It's unfortunate that they've been inconvenienced by the situation, but they're acting like the server is gone forever. Playing the victim when 28,000 people are having their (already paid for) education compromised and the FBI didn't break any rules is not a good way to garner sympathy.

Re:Can You Say False Flag Opp?

[DdJ]

If you're a conspiracy-minded crackpot who uses "follow the money" reasoning, then another obvious possibility is Verizon or AT&T.

Why?

Every time one of these bomb-threat incidents happens -- and they've been happening multiple times a day every day for quite a while now -- Pitt uses their emergency notification infrastructure to coordinate communication about them. And that means text messages to thousands of students.

(Because of the whole "in loco parentis" thing Universities have to deal with, and because of the aftermath of Virginia Tech, and for all sorts of other reasons some of which Bruce Schneier recently articulated talking about this very topic, Pitt does not have the realistic option of scaling back their response. The minute they react less seriously, they're potentially open to massive lawsuits -- and that's if nothing happens. If the jackasses are waiting for a weaker response before doing something real, well, Pitt might not survive the aftermath.)

Reports indicate that multiple students who didn't previously have unlimited texting plans have now been forced to upgrade to unlimited plans. Follow the money...

Of course, that theory for what's going on is absurd to the point of being laughable. Can't be disproven, no, but come on...

It's almost certainly the case that some drunk undergrad asshat thought it would be funny to make a bomb threat anonymously, figured out how to push the buttons on the anonymous remailer while sitting in a public library, and did it. (Well, once the "scrawled on the walls of a men's room" vector had been shut down, which is how it all actually started.)

Let it spread to the level of a minor in-joke meme among even a small number of such folks, and you'd observe something an awful lot like what we're actually seeing now. Much more likely than government conspiracy, anti-occupy conspiracy, or mobile operator conspiracy (though of course we can't disprove any of those).

Until the masses of American citizens, especially and particularly the "helicopter parents" of current undergrads, are willing to accept a security environment that involves cost/benefit analysis and the acceptance of some actual threat, what can be done? And it doesn't look like they're ready to accept that any time soon. "Think of the children!"

Re:Can You Say False Flag Opp?

[WrecklessSandwich]

Well, if you want to follow the money, it costs the school/state/FBI (not really sure who foots the bill initially, but paying it back will likely be part of the sentence in the end) a few thousand dollars to do a bomb sweep. I sadly don't have a link I can cite, but I heard that sweeping the Cathedral of Learning costs them $30,000 per bomb threat there due to the size of the building. I'm not even sure how to make a conspiracy theory out of that, but I'm sure someone here will find a way.

pre-emptive visibility

[Onymous+Coward]

Could you develop a service for allowing anonymous communication that you gave the FBI pre-emptive visibility into without compromising the anonymity of the system?

Allow the FBI to snapshot the whole hard drive and peruse it at their leisure any time they requested.

Perhaps the FBI wouldn't trust you and your fancy transparency, but maybe you could make it plausibly accurate enough such that a server confiscation would be equal to an unwarranted attack from a legal standpoint.

Re:pre-emptive visibility

[Onymous+Coward]

Sorry, I didn't make myself clear.

The idea is that your system keeps no logs, as is typical for these anonymity-providing services, so the anonymity is preserved. And it makes this anonymity clear to the authorities by providing complete visibility into the hard drive contents at the FBI's requests. Voilà, law enforcement has no reason to take your server down. They're not going to get any additional information.

The sticking points I see:

• thermal freezing of RAM for memory recovery may make physical confiscation still desirable
• the attackers may not believe the accuracy of your hard drive content reports
• (ad hoc) hard drive reports may leak information and undermine anonymity
• exact software state (which programs and versions being used and their configurations) may increase vulnerability to intrusion

My intuition says it may be possible to overcome each of these.

Anonymous vs anonymous

[milbournosphere]

From what I can tell, the service was providing anonymous re-mailer services, not re-mailer services to Anonymous. This being the case, they're not going after a service used by the hacker group; they're going after a service offering anonymous communications to your average citizen. Not cool, gov'mint, not cool.

They had a warrant.

[cpu6502]

They followed proper constitutional procedure (for a change). So blame the judge not the fbi.

Re:They had a warrant.

[lbft]

I blame the FBI for seeking a moronic warrant in the first place.

Re:They had a warrant.

[Chazerizer]

And, in addition, the company who provided the service had agreed to cooperate with the investigation: http://www.post-gazette.com/stories/local/neighborhoods-city/internet-service-to-help-in-probe-of-pitt-threats-631734/ God that title is really misleading.

Re:They had a warrant.

[evil_aaronm]

As little as I appreciate the FBI, you can't fault their approach. Always ask for more than you need: you might not get it - but then again, you just might.

Why seize a server for more than clone time?

[PeterM+from+Berkeley]

Why should a server EVER be seized as "evidence"?

Why not just have an FBI team come in, temporarily shut down the server, clone all the data, and then leave, and the server comes back up?

--PM

Re:Why seize a server for more than clone time?

[TapeCutter]

Even if goons knew how to clone the data onsite, the act of copying will open a huge can of worms in any subsequent court case, moreso if you allow the owner of the server to do it. It's nothing new really, they did the same thing with filing cabinets long before server rooms existed. However there must be a better way to do it, courts routinely demand 'records' be handed over without sending in the goons in to empty your server room.

Re:Why seize a server for more than clone time?

It's not an evidence thing. You can't show magnetized domains to a juror. That means _anything_ you put in front of them will be a copy. All that matters, then, is chain of custody of the "information"--that is, who copied what to where.

They take the servers out of convenience. It's just plain easier to do forensics work in a lab.

Re:Why seize a server for more than clone time?

[gweihir]

From the message of the server operator, just the HDD was imaged and the server is up again with changed keys. Also, he wrote "the police", the term "FBI" is never mentioned in his messages.

Seriously, people, maybe inform yourself about what is known before starting to complain?

Collateral damage

[nurb432]

Hey, we are in a war with something or other.. a little collateral damage is expected.

Suck it up or get put on a dissident watched-list.

Re:Did they at least manage to figure out what ser

[evil_aaronm]

Man, you would not believe the rush you get from going all commando on racks of servers. "Blink those lights funny at me, beeyotch, and I'll bust a cap right between your USB ports!"

Re:Captain America: The First Bully

[TapeCutter]

The first may have been Goliath or God, definitely not Captain America.

Anonymous communication, a right?

[jpapon]

Is anonymous communication really a right? It's a relatively new thing in human interaction, is it really necessary, or beneficial?

I'm not stating an opinion one way or the other, I'm honestly asking, what do we really gain from truly anonymous communication? The things we lose (i.e. accountability for things you say) are clear, so I'm just asking, what are the benefits to society?

Isn't free speech enough? If we truly had the right to free speech, why would anonymity even be necessary?

Re:Anonymous communication, a right?

[evil_aaronm]

I would argue that anonymous == private. If you don't know who's saying it, it doesn't really matter what's being said or who hears it: my ability to communicate with whomever is safe. To a point, of course. Giving up obvious tactical information, for example - "The Harlequin will attend the meeting at 10:00, dammit, on time!" - kind of defeats the purpose, if you're the Harlequin trying to evade capture. And, yes, I know he showed up early in that instance.

In the Pitt case, one person is broadcasting to all and sundry and he's not hiding anything in the message. And his message is clearly unlawful and unsupportable. However, it doesn't have to be that way. It could be a message that's understood only by two people - "The monkeys are restless and my dog has fleas." - even if it is in the clear.

I don't think I need to argue that private communication is an absolute must. Consider how well the American revolution, for example, would have progressed if every citizen was prohibited from communicating privately.

Re:Anonymous communication, a right?

[BitterOak]

Is anonymous communication really a right? It's a relatively new thing in human interaction, is it really necessary, or beneficial?

I guess that depends on what you mean by "relatively new thing", as Common Sense, the pamphlet distributed anonymously by Thomas Paine, who has been called the father of the American Revolution is more than 200 years old. As to whether or not such speech is beneficial or not, I suppose it depends, at least in part, on whether or not you think the American Revolution was a good idea.

Re:Anonymous communication, a right?

[currently_awake]

If your government is doing something horrible and illegal and you tell (and they know it was you) they will punish you. If you can do this without them knowing who told everyone then they won't punish you. If you want to live in a free country you must have anonymity.

Re:Anonymous communication, a right?

[betterunixthanunix]

Is anonymous communication really a right?

It is in America, since it is vital to free speech. Unpopular minorities may be unable to exercise their right to free speech if they are forced to attach their real name to that speech. This country was founded by men who published documents anonymously.

Re:Anonymous communication, a right?

[NeverSuchBefore]

I'm honestly asking, what do we really gain from truly anonymous communication?

Honest opinions. Privacy. Protection from those who would abuse us (including government, random criminals, and corporations, assuming you're even trying to be anonymous). The value of privacy should already be clear.

The things we lose

Losing things is okay if it's in the name of freedom.

Re:Anonymous communication, a right?

[robsku]

Is anonymous communication really a right? It's a relatively new thing in human interaction, is it really necessary, or beneficial?

I believe that anonymous communication is a right as long as someone can provide service to do that... And it's really not that new - consider how easy it has been for long time to achieve relatively high anonymous communication via plain mail system... Sure it's not perfect, but a letter written using computer or electronic typewriter sent using different mailbox (not post office) for each letter provides quite a bit of anonymity, even though it can be easier to track the person than one tech savvy poster using anonymous proxies / tor, etc. and anon re-mailer.

I'm not stating an opinion one way or the other, I'm honestly asking, what do we really gain from truly anonymous communication? The things we lose (i.e. accountability for things you say) are clear, so I'm just asking, what are the benefits to society?

Isn't free speech enough? If we truly had the right to free speech, why would anonymity even be necessary?

I think anonymous communication has a load of huge benefits... One pretty obvious example being activists in oppressive countries criticizing the system anonymously to avoid disapearing after men in black paying a visit. Yes, I believe anonymous communication should be a protected right.

Re:What other reason for anonymous remailers..

[evil_aaronm]

Well, duh. Anyone using them must be a terrorist. People who don't hate America don't hide their communications. It makes it hard for the authorities to keep track of what everyone is doing. There's no good reason to want that, unless you hate America! /geezIhopenoonetakesthisseriously...

FBI = DOS?

[wjcofkc]

I wonder if it has occurred to the FBI that by yanking a server with other individuals and business' stuff on it, that they are conducting a DOS much like anonymous. It seems they played right into their hands even if it wasn't their intention to offer said hand. To the FBI: smooth move ex-lax.

Re:FBI = DOS?

[the+eric+conspiracy]

Crikey it's just an email forwarder. Replacement = installation of a new one in an hour or so.

Re:FBI = DOS?

[Skapare]

And not only that, it is one that other mail servers have every right to refuse data or connections from if they want only communications which are fully traceable. Think about what objective exists by the FBI seizing a computer that was used (let's assume for sake of argument that this really was used in that way) to transmit these threats, but has no record of what was sent or where it came from. All it's doing is interrupting the ability to send anonymous mail. But specifically it interrupts the ability of the person making these threats from doing so. Is that a good idea? If it is, then why not configure the UofP computers to refuse connections from this or any other anonymous remailer. That should be just as effective. Why not just ignore the threats? These are all basically the same effect in that the threat maker is deprived of the communications.

What are the implications of ignoring a threat? The threat might represent a real danger. Maybe there is a real bomb ... this time. Then ANY form of interrupting the communication represents the equivalent of ignoring the threat.

I don't know what the best solution is. But we are currently acting irrationally out of insane public policy. On the one hand by not communicating we risk danger. On the other hand by communicating we real idle threats. We are our own problem and we need to find a solution to that.

Re:FBI = DOS?

[Skapare]

bad edits ... "real idle" should be "risk idle".

Can we get a little streisand effect?

[mrmeval]

Take your hacked router, your raspberry pi, your beagle board and fire up a remailer service off of some public wifi or other, run it off solar, coil leech, thermal gradient sucker, piezo traffic leech or whatever power you can get.

Didn't someone do a patch to mixmaster so it could do hold and forward like fidonet?

Who will FBI the FBI ?

[Taco+Cowboy]

"Look, We're the FBI. That means your fucked, no matter what you do."

The question that is begging to be asked is ---

Who will FBI the FBI ?

Re:Who will FBI the FBI ?

[Svartormr]

"Look, We're the FBI. That means your fucked, no matter what you do."

The question that is begging to be asked is ---

Who will FBI the FBI ?

The FBFBII ?

Re:Who will FBI the FBI ?

The question that is begging to be asked is ---

Who will FBI the FBI ?

We the people. Right after American Idol.

Re:Who will FBI the FBI ?

[Genda]

Who will FBI the FBI ?

That would be the CIA, but don't ask, its not part of their charter. If you want all the information on everybody, go to the NSA, of course then they have to shoot you, I'm sure you understand.

There could still be evidence

[elucido]

Depending on how the machines are setup there could be evidence on them if they aren't properly configured.

Re:Offtopic^2

[qubezz]

This is not a Rush Limbaugh forum, and your retarded post has nothing to do with the topic. If you watch the BBC documentary Madagascar, Lemurs and Spies, you'll see that Gibson looks guilty as hell. A researcher working with an endangered group of Lemurs sees illegal logging in protected wilderness, and they get a hidden camera lawyer posing as an American wood buyer to go deep inside the logging operation, documenting the mass harvesting and lumber mills there producing pallets of fingerboard blanks with the Gibson front company name all over. The sawmill owner even brags on camera about what they are doing.

By your logic, you would shut up and go away if the justice department put people at Gibson in jail. More likely, you would be here bitching about how another American company was shut down by the feds.

Innocent bussiness

[MrShaggy]

Could the business that are not the warrent sue the Feds for the disuption of their bussinesses?

Since in a sense that they were not part the names on the warrent.

Re:Bullshit, but with an extreme reason

[MrShaggy]

The entire usa can be summed up like this.

WMD's.

Weapons of Missing Destruction.

How remailers work

[betterunixthanunix]

There are twenty or so remailers that are active at any time. Typically people chain the remailers, so that no single system knows both the sender and receiver of a message. One remailer going down is not an uncommon event; a different remailer will be used to send the messages, and nobody will bat an eye.

Maybe the FBI wants that to happen, so they can take down the entire network, one node at a time, with legal justification.

Re:Who the hell is relying on a single shared serv

[Ash-Fox]

They tell you in the summary.

If You're Going To Host Stuff Like This...

...then make sure you ALSO host the servers for important things.

Like the servers for the local sewage treatment plant, for example. I can see the conversation now...

FBI: "Alright, we're taking this server. It's hosting a criminal "x" and we're going to confiscate it as evidence."
Network Admin: "I don't think you wanna do that?"
FBI: "Why not?"
NA: "It would cause a shit-storm."
FBI: "Hah! You're funny!"
NA: *grins* "Yeah, ain't I a stinker?"

a good reason to limit anon networks to P2P

[Burz]

...bc they don't normally connect to regular Internet services.

Its probably a forgone conclusion that Mixmaster and even Tor will be attacked by authorities (yes, even by 'free and democratic' regimes) because someone will use it to make meatspace threats.

With a P2P only anonymizer like I2P, connections/proxies to the regular Internet are rare so the anon network as a whole is less likely to come under attack due to threats made by some hothead or provocateur. And threats made within the anon space are far less worrisome because the threat recipient is also protected by a significant degree of anonymity.

Don't host in the U.S.

[efalk]

When are people going to learn? If your site is at all controversial, don't register it or host it in the U.S.

Re:Don't host in the U.S.

[Skapare]

Host it where? North Korea?

Re:Don't host in the U.S.

[Pope]

I remember using anon.penet.fi back in the 90s for posting to Usenet, since my university at the time didn't allow posting for non-CS majors. http://en.wikipedia.org/wiki/Penet_remailer

Lesson: don't mess with Scientologists or retarded newspaper editors.

Re:Bullshit, but with an extreme reason

[Skapare]

Maybe the university should shut down getting emails from whatever IP addresses these threats are coming from? Seems that would be basically the equivalent of taking out the remailer server, except that it doesn't have the collateral effects, and doesn't have the risks of the remailer being replaced.

I'm assuming the IP addresses are not random. If they were, taking out ONE remailer would not stop the threats.

Re:Who the hell is relying on a single shared serv

[Skapare]

One server can do quite a lot, especially if you ditch Windows and put BSD on there.

A comment from Riseup

The server that was seized does not have any Riseup data on it. The machine was operated by the European Counter Network (?ECN?), an Italian technology collective. To repeat: no Riseup service or user data is on this machine. No Riseup keys or certificates are on the machine. Furthermore, the root filesystem of this machine is encrypted.

Full press release: https://riseup.net/seizure-2012-april

Lesson to learn

[aaaaaaargh!]

People might point out that with a search warrant this could have happened anywhere, but this is not entirely true. It seems that in the US servers are more and more often seized as a sort of harassment in cases like this, where it is clear that there is no useful evidence can be obtained.

Sorry if this offends a few alleged 'patriots', but the lesson to learn from this story is once more:

Do not host your software or potentially controversial content on US servers or servers run by US companies!

Re:Lesson to learn

[RockDoctor]

Sorry if this offends a few alleged 'patriots', but the lesson to learn from this story is once more:
Do not host your software or potentially controversial content on US servers or servers run by US companies!

Why on earth would that upset approximately 96% of patriots?
Patriotic Albanian ? No problem.
Patriotic Algerian ? No problem.
Patriotic American ? Possible problem, though for the life of me, I can't see how pointing out that some part of the government is acting reprehensibly is necessarily going to be upsetting to a patriot. Unless that patriot also accepts the argument that their government's behaviour constitutes the country's only grounds for self-esteem. To quote a more realistic Zimbabwean colleague, "our government are murdering bastards, but I miss the beauty of the veldt".
Patriotic Belgian? Pas de probleme.

...
Patriotic Zimbabwean ? No problem.

Now, whether American patriots find it embarrassing that their government is acting to suppress free speech and privacy while theoretically supporting those freedoms ... is a problem for them to worry about. To me, the concept of governments behaving hypocritically is reprehensible, but is so absolutely normal that it is the exceptions which surprise me.

Personally, I prefer to not spend any money in America - let them starve ! - but even if that were insufficient reason, then distrust of American spying would be another completely sufficient reason to not consider using any American service or business.

None of which invalidates your general message that content or services likely to be embarrassing or controversial to Government X (and/or their associates and paymasters) should not be hosted in Territory X or with companies susceptible to pressure from Government X.

Survival of the fittest or....

[3seas]

.... lowest common denominator rules the world?

Re:Wikileaks case

[bmo]

This is edited to show my thinking while I was writing this.

All the data that Johnson was able to retrieve from un-allocated space came after that overwrite, he said.

Not even enough information in this quote to tell if he got the data from the overwritten part or a part that failed to be overwritten or even if the zero wipe even finished.

It is likely that whoever tried the wipe did it wrong both times. A "Gutmann wipe"? That just screams stupid.

******revisit the above quote and think about it more *******
Wait...what?

said he found 14 to 15 pages of chats in unallocated space on the hard drive

unallocated This is used more than once in the article. It's not a mistake.

Unallocated? That's a specific term in reference to partitioning. That means an "empty" space that's not available as a partition to read from or write to. It's unavailable to normal OS processes. He reformatted and reinstalled the OS. If he repartitioned too, it is likely he didn't set up the partitioning exactly the same way and wound up with a dead spot that was unallocated to any partitions. A zero wipe of free space is going to only write to the end of the partition and no further.

It's easy to have unallocated space. I've got some on this laptop because of partition boundaries not landing in neat areas.

You can run whatever regular wipe tool you want. If you tell it to wipe /dev/sda1, it's only going to wipe /dev/sda1. Whatever is on either side of that as unallocated space, doesn't get touched.

--
BMO