FBI Compromises Another Remailer

betterunixthanunix writes "Another remailer has been compromised by the FBI, who made a forensic image of the hard disk of a remailer located in Austria. The remailer operator has reissued the remailer keys, but warns that messages previously sent through the remailer could be decrypted. The operator also warns that law enforcement agents had an opportunity to install a back door, and that a complete rebuild of the system will take some time."

wtf fbi

[X0563511]

Why the fuck are you intruding into and altering foreign systems? That's not your fucking jurisdiction or job!

Leave that shit to the intelligence agencies, if someone must do it.

Re:wtf fbi

The local authorities probably granted FBI access. The FBI didn't walk in by themselves.

Re:wtf fbi

[hendridm]

If you read the thread, it was Austrian authorities that took the image at the request of U.S. authorities.

Re:wtf fbi

Stupid poster... do you or anyone else really think a whole nation is responsible for the acts of a few? How about we all realize the reason for the world wide protests is due to the common element of simply being damn fed-up with the lying cheating dishonest few who are in command positions to do nothing more than threaten and apply the ignorance of brute force.

Re:wtf fbi

[X0563511]

If that's true, I don't understand how this (from the summary above) is possible: "The operator also warns that law enforcement agents had an opportunity to install a back door"

Unless they just installed the backdoor into their image, for some reason. They would have had to have access to the live system to do this part.

Re:wtf fbi

Austrian Law Enforcement took a disk image, meaning they had direct access to the server. The Austrian's did this at the behest of the FBI. So yes, law enforcement could have installed a backdoor while they had access.

Re:wtf fbi

ASSISTANCE REQUEST

To: Federal Bureau of Investigation
From: Sealand Government

Please provide us soonest with hard drive images of the MegaUpload servers and RAID configuration parameters.

Thank you.

Re:wtf fbi

[betterunixthanunix]

Read the post; they did have access to the live system. The operator does not think it is likely that a backdoor was installed, but as a security precaution has indicated that the system will eventually be rebuilt (probably with new keys issued).

Re:wtf fbi

[a90Tj2P7]

They didn't. No one did. The admin just told everyone "Depending on how paranoid you are, you may assume the machine is backdoored, since the authorities have had access".

Re:wtf fbi

1) Read the link first before freaking out. Austrian police did it at the request of the FBI.
2) While there are no details about why this occurred, the owner of the remailer suspects it has something to do with the bomb threats that have been happening for weeks now at the University of Pittsburgh. These threats are being delivered through the remailers and it would appear they hope to find information that might lead them to the individual responsible. In that case, this isn't a unilateral action to see what crime they can sniff out, but rather part of an active criminal investigation.

I'm not necessarily defending what the FBI is doing, but this article doesn't do much more than invoke FUD in the /. reader base by not elaborating.

Re:wtf fbi

Stupid poster... do you or anyone else really think a whole nation is responsible for the acts of a few?

Last time I checked the U.S. is a democracy and the rest of the world does not consider the U.S. population to be oppressed.
If you don't want the world to hate the U.S. population I suggest that you get your ass up from your chair and try to convince your neighbours to vote for someone who is better than "The lesser evil."
After all, the more people to hate the U.S. the greater is the risk that a few of them are complete nutjobs that are willing to blow themselves up to change things...

Re:wtf fbi

[Mindscrew]

The U.S. is not a democracy.

The U.S. is a Democratic Republic. Your vote is simply there to elect a representative of "the people". That elected person then votes how they see fit.

Its how easy these elected people can be payed off that's that problem.

Even "your" candidate is most likely being paid by somebody with a lot of money and an agenda.

Re:wtf fbi

[skywire]

You are so naive. Democracy is merely the latest in a line of mechanisms used to legitimize the state in the eyes of its subjects. If one could actually change the policies of the state by "trying to convince your neighbours to vote for someone", then the ruling elite would have to turn to a new legitimization mechanism. One can hardly be held morally responsible for the acts of others over whom one does not exercise agency or coercive influence.

Re:wtf fbi

[bravo_2_0]

You are right that the U.S. is not a democracy but it is NOT a Democratic Republic. It's a Constitutional Republic.

Re:wtf fbi

[MrLizardo]

In a pure democracy the people vote for *laws* not representatives. That's why the US is considered a Democratic Republic (or a *Representative* Democracy). It has nothing to do with the voting method and *everything* to do with what people get to vote for.

Re:wtf fbi

[Jawnn]

International law enforcement agreements say otherwise....

Whoosh...

Re:wtf fbi

[Jawnn]

You are right that the U.S. is not a democracy but it is NOT a Democratic Republic. It's a Constitutional Republic.

On paper, perhaps. In reality, it is rapidly becoming a fascist republic.

Re:wtf fbi

[houghi]

The U.S. is a Democratic Republic.

So that is why the 3 letter agencies look so much like the Stasi.

Re:wtf fbi

And through partisan gerrymandering and constant corruption, the USA isn't even a representative democracy any more, it's a corporate oligarchy.

Re:wtf fbi

[Joce640k]

I think local authorities might have issued a court order requiring a set of messages to be decrypted.

Not too many people have problems with following court orders for genuine criminal investigations. It's the mass-scanning, fishing expeditions they have a problem with.

The old KGB/Stasi bosses must be having a real laugh at the way the USA is acting lately. Read all your mail, demand papers and feel you up before you can travel anywhere, more people in prison than any other country.

Americans used to joke about all that sort of stuff but guess what...?

Re:wtf fbi

[Paracelcus]

So, you vote for "ratfuck A" instead of "ratfuck B", cause "ratfuck A" made rediculous promises that appeal to you even though you know that "ratfuck A" won't keep them! Also "ratfuck A" belongs to some ethnic/socio-economic group that makes you just "feel good" to vote for!

But in reality ALL "ratfucks" are essentially the same, taking money from the same masters who ultimately control them! And that is ultimately the real truth, no matter which one you vote for it will always be the same!

Re:wtf fbi

[Paracelcus]

That's what empires do!

Re:wtf fbi

[HiThere]

Y...One can hardly be held morally responsible for the acts of others over whom one does not exercise agency or coercive influence.

Sorry. That statement is historically incorrect. The accurate statement would be: "One should hardly be held morally responsible for the acts of others over whom one does not exercise agency or coercive influence"

Re:wtf fbi

[HiThere]

So if there are two candidates, and you vote for the one who promises to end an injustice, then you are responsible when he doesn't end it?

That statement is itself an act of injustice.

Re:wtf fbi

[Requiem18th]

Relevant video http://www.youtube.com/watch?v=Mky11UJb9AY

Re:wtf fbi

[Tyndmyr]

The FBI is a member of the US intelligence community. It IS an intelligence agency. You could learn this trivially quickly on wikipedia.

Re:wtf fbi

[ericloewe]

How does that relate to my comment?

Though I must say, you don't seem to be far from the truth. Still, same outcome if you vote for someone who votes for someone else as if you vote for that someone else directly.

Re:wtf fbi

[mindbuilder]

US law now allows the military to imprison you for life without trial. See the NDAA. or http://www.youtube.com/watch?v=AKaTxjxnYfE This was signed into law by Obama. There is an exemption for American citizens from the requirement that the military take them to Guantanamo Bay, but the exemption is only to the requirement, the military still has the OPTION to imprison you forever without trial. The law says it is only for suspected terrorists, but the law only requires suspicion, not proof, and anyone can be suspected of being a terrorist. It has been claimed that there is a requirement for one hearing before a judge but I haven't seen that in the law. It boggles my mind that Congress and Obama think it is a good idea to make it legal for the military to secretly snatch you in the middle of the night and imprison you for life without trial on mere suspicion.

Re:wtf fbi

[StrongAxe]

I see you have a fine intuitive understanding of the American political system.

Re:wtf fbi

[CrimsonAvenger]

The FBI is a member of the US intelligence community. It IS an intelligence agency. You could learn this trivially quickly on wikipedia.

Nonetheless, the FBI is supposed to be about INTERNAL law enforcement, not foreign intelligence.

On the other hand, they're what we have for a national police force, so it's possible that their mandate allows this sort of thing, assuming cooperation by local law enforcement.

Re:wtf fbi

[Cow+Jones]

I'm really upset by this. As an Austrian, I'm appalled that our courts would issue an order to clone the complete disk of our Mixmaster node (btw, yes, I know the maintainer personally). The Pittsburgh bomb threats are serious business, and I'd like nothing more than see these "pranksters" (as they see themselves) brought to justice for what they've done. But that doesn't mean that everybody else's secrets have to be exposed at the request of a foreign nation. Where do you draw the line? Which nations can request the data on our servers, and what reason would be strong enough to grant the request? Are the US special in some way? What if the Saudis heard of an unmarried woman having cyber-relations over Mixmaster? What if China wants to track down dissidents?

This shouldn't have been allowed.

And don't forget, so far we've heard of two compromised Mixmaster relays in two weeks. I'm sure that there are others that we'll never hear about, in addition to the ones run by the US agencies in the first place. There is a very real chance that the FBI will soon have collected enough keys to decrypt and follow a significant percentage of Mixmaster-anonymized mails.

Who gives these people the right to snoop into the affairs of thousands of unrelated people in other nations? I know, in this case the answer is: the Austrian courts gave them the right. That's why I'm so upset. The FBI can't be blamed for trying, but small as our country is, we shouldn't have bowed down so readily.

CJ

Re:wtf fbi

[skywire]

Touché.

Re:wtf fbi

[currently_awake]

Can the Austrian police legally give the FBI a copy of the server? Doesn't the EU have privacy laws against that?

Re:wtf fbi

[StikyPad]

It is NOT semantics, it is a meaningless argument over the words used to define something that is not clearly definable.

From your own fucking link: Also, a representative democracy may or may not be a constitutional republic. For example, "the United States relies on representative democracy, but [its] system of government is much more complex than that. [It is] not a simple representative democracy, but a constitutional republic in which majority rule is tempered by minority rights protected by law."

Re:wtf fbi

[Paracelcus]

Sorry, what I meant was that a "representative republic" vs "direct democracy' argument is specious, when you consider that the potential outcomes are a forgone conclusion!

Another question

Did they manufacture any "evidence" in the process?

Re:Another question

[Jeng]

The remailers are not the target, it's users are.

Re:Another question

[Jeng]

At this point they are gathering evidence, it is usually once evidence is gathered and found lacking that they would manufacture evidence. They don't even know at this point whom they would have to manufacture evidence against.

Why contaminate a perfectly good case with manufactured evidence when it's not needed?

Re:Another question

[Thud457]

That sounds like a lot of work.

Can't they just claim they have evidence but they can't show it to you because it's secret?

Re:Another question

[Jeng]

I believe they can, but they first have to find out who you are and that is the stage they are at now.

"Could be decrypted"

[Beryllium+Sphere(tm)]

Not if they were encrypted to the end recipient's public key. If not, they were plaintext in transit and possibly on the ISP's server.

Re:"Could be decrypted"

[Hatta]

Indeed. I'm not terribly familiar with anonymous remailers, so I don't understand what the keys are for. Why does an anonymous remailer need encryption keys in the first place? If I send them an email, asking them to resend it somewhere else, and they don't log who sends them email, isn't that enough to provide anonymity?

Re:"Could be decrypted"

[betterunixthanunix]

If I send them an email, asking them to resend it somewhere else, and they don't log who sends them email, isn't that enough to provide anonymity?

What if your connection is being watched?

In practice, people will chain two or more remailers, so that no single remailer knows both the sender and the recipient of a message. Encrypting the messages with each remailer's key is fundamental to this, so that the commands send to one remailer cannot be recorded by another.

Re:"Could be decrypted"

[arth1]

Indeed. I'm not terribly familiar with anonymous remailers, so I don't understand what the keys are for. Why does an anonymous remailer need encryption keys in the first place? If I send them an email, asking them to resend it somewhere else, and they don't log who sends them email, isn't that enough to provide anonymity?

No. If you e-mail the remailer unencrypted, DHS/NSA/FBI can snoop the e-mail en route to the remailer, seeing what you wrote and who you sent it to.
If you send the e-mail encrypted to the remailer, the agencies won't know what's in the e-mails or who it goes to.

Re:"Could be decrypted"

[drinkypoo]

If you send the e-mail encrypted to the remailer, the agencies won't know what's in the e-mails or who it goes to.

No, they may well know who it goes to, because the system's keys may have been compromised, and the system needs that information to send your mail. By snooping your connection (If you are a person of interest) they know which mail you sent through comparison. The only thing they don't know is what's in the email.

Re:"Could be decrypted"

[betterunixthanunix]

Which is why people typically send messages through remailer chains, to make that sort of attack harder. Yes, they could just compromise the whole system, which is why the low number of remailers in operation is so troubling.

Re:"Could be decrypted"

[Herr+Brush]

No because plain text emails could be intercepted entering and leaving the server.

Re:"Could be decrypted"

[Hatta]

What if your connection is being watched?

Oh, der.

Re:"Could be decrypted"

[oxdas]

If this is related to the emailing of bombing threats, then the emails are in plaintext (because the recipient won't have the key). I am guessing the encrypted part is information about the origin of the email. Potentially the remailer encrypted the email when passing between remailers or perhaps they use an encrypted tunnel or something to communicate. The FBI probably needs information from their servers to determine who was the last remailer in the chain. The FBI will probably need to seize the records of several companies to ultimately track back the email's origin.

I don't know much about this business, though, so this is pure speculation on my part.

Re:"Could be decrypted"

[betterunixthanunix]

Except that a compromise of both remailers would kill the system, and the FBI has demonstrated that compromising two remailers is not all that difficult. Ideally, there would be hundreds of remailers and many nym servers, so that a single remailer being compromised would be no big deal; unfortunately, there are not enough people in the world willing to run a remailer.

Remailers

So, are there any remailers in countries that don't have reciprocal juristictional arrangements with the USA?

Re:Remailers

[SirWhoopass]

So, are there any remailers in countries that don't have reciprocal juristictional arrangements with the USA?

Iran. North Korea. Syria. China... maybe? They might cooperate with the FBI depending on the target. Same with Russia. Are you looking for a country that doesn't have reciprocal arrangements, but that will also respect your privacy? I doubt it.

Re:remailer?

[Jeng]

I'm going to take this opportunity to post a link to information about remailers, but I think you are an idiot for asking.

http://www.andrebacard.com/remail.html

Re:remailer?

[SJHillman]

An anonymous remailer is a server that receives messages with embedded instructions on where to send them next, and that forwards them without revealing where they originally came from.

http://en.wikipedia.org/wiki/Anonymous_remailer

Re:remailer?

[X0563511]

Lets break the word down for you:

[re]-[mailer]

I'm sure you can figure it out from there. If you still can't, go here.

So what this really says.....

[3seas]

....is that the FBI is a criminal organization.

Anonymous remailers are set up for reason of protection of those with information they want to get out but can as well suffer from a repressive regime, otherwise risking death if not done anonymously. Even universities of law have set such remailer up in respect of the law, ethics and democracy.

Perhaps there is a jail cell next to Bradly available for these. Naw.... not a chance.... somebody is going to die and that will make it ok.

What an upside down world we live in... Ready to flip it right side up?

Re:So what this really says.....

[betterunixthanunix]

Making forensic copies of remailer disks, seizing remailers, etc. are not going to help them catch the guy who is sending these messages. Look at TFA -- the remailer operator simply reissued the keys. Taking a remailer offline is even more useless -- the FBI misses the opportunity to log messages travelling through the remailer, and to work their way backward through the remailer chain.

If the FBI were serious about catching this guy, they would not be making such a public spectacle -- the sender is going to stop using the remailer system, or else the sender is already relying on more than just remailers (e.g. Remailing through Tor from an open Wifi access point). The point of these high-profile raids is to attack the remailer system head-on; law enforcement agencies generally want to shut down anonymity systems, and these bomb threats present the perfect opportunity to attack the system with legal justification.

Re:So what this really says.....

[Baloroth]

Making forensic copies of remailer disks, seizing remailers, etc. are not going to help them catch the guy who is sending these messages. Look at TFA -- the remailer operator simply reissued the keys. Taking a remailer offline is even more useless -- the FBI misses the opportunity to log messages travelling through the remailer, and to work their way backward through the remailer chain.

If they have copies of emails sent through the remailer prior to the raid, yes it will. It won't help catch future messages, but that isn't the point: the point is to break encryption on emails they already have in their possession. Reissuing the keys won't change the encryption used on those messages.

Also, I don't think they can not make a spectacle: the request to image the disks has to go through official channels or they risk major legal problems later, which means people are going to know about it.

Crime

[DaMattster]

So, effectively, the FBI has just committed a crime. They have intruded into the server of a foreign company and added a backdoor. I am surprised Austria is not up in complete arms over this. Anonymity in of itself is not a crime so the FBI really behaved egregiously!

Re:Crime

[v1]

the problem here is that the US is *known* to be storing ALL email traffic that routes through the united states. Sounds like a daunting task, but there's a reason they have all these big high security data centers all over the place and have "high security rooms" at all the telcos and large ISPs. That traffic gets siphoned off to their data centers for storage for later in case they need it. There's a simple reason why those places have petabytes of storage.

So there is never a question of "but they'd have to have been watching for that email last week/month/year and it's long since been sent and removed from caches". No. They have it. They have them all, just in case. Watch Enemy of the State. Watch how they pull up satellite footage from hours and days ago. Same principle here, if you can record everything, it works like a time machine. (for the past anyway)

So yes, busting down a door and taking the remailer keys gives them 100% access to 100% of the traffic that has been sent by that remailer at ANY point in the past where it crossed through a US ISP.

The truly disgusting part of this is they got the KEYS. Technically all they NEEDED was to hand over the encrypted message to the AU authorities, they break down the door and use the key to decode the message, and turn over the message, then wipe their copy of the key. That would be the "proper" way to do it, not to abuse the system, but instead they handed over the KEYS themselves, and now the US can decrypt truckloads of hard drives of emails that they have NO business having access to. That is the true crime here. It's like having a legal reason to subpoena a safe deposit box at a bank, and the bank hands them over a master key that opens every box in the vault and lets them look through anything they want. That's just WRONG.

Every time someone sends a bomb threat they can pull this stunt, it's like christmas over at the NSA, "we got another key! lets see what goodies we can find!" Talk about an incentive for abuse... Normally I don't go "tinfoil hat" on things, but THIS is actually an instance where I could start to buy into someone suggesting the NSA/etc forging a bomb threat just to get access to another random footlocker of encrypted data they want a peek at.

Re:Crime

[a90Tj2P7]

So, effectively, the FBI has just committed a crime. They have intruded into the server of a foreign company and added a backdoor. I am surprised Austria is not up in complete arms over this. Anonymity in of itself is not a crime so the FBI really behaved egregiously!

They did neither. The Austrian authorities, at the request of the FBI and in compliance with international agreements, created a bit copy of the hard drive. The whole point of a whole disk copy like that is that you DON'T access the original, and therefore can't compromise the evidence or lose/overwrite files/properties. There's no proof of any backdoor being installed, the admin just said that since they had the server they could possibly installed one.

Re:Crime

[bws111]

Couldn't even bother to read the first paragraph of the article, eh?

Today, the police arrived with a court order that allowed them to
create a forensic disk image of the austria remailer. This apparently
was on request of the US authorities, related to the Pittsburgh bomb
threats. (emphasis mine)

It was the Austrian police who had a valid court order who 'intruded'. As for the 'added a backdoor':
Depending on how paranoid you are, you may assume the machine is
    backdoored, since the authorities have had access.

Doesn't say the FBI ever had access. Doesn't say there IS a backdoor, just that if you're paranoid yo umay assume there is one.

Re:Crime

[OzPeter]

Technically all they NEEDED was to hand over the encrypted message to the AU authorities

But what would the Australian authorities be doing with an Austrian server?
 
When will people learn that .AT has the mountains and .AU has the kangaroos?

Re:Crime

[betterunixthanunix]

So yes, busting down a door and taking the remailer keys gives them 100% access to 100% of the traffic that has been sent by that remailer at ANY point in the past where it crossed through a US ISP.

It also gives other remailer operators a chance to reissue their keys and destroy the old keys -- which is basically what needs to happen when you have an agency going around demanding disc images like this. I am not aware of this happening, though.

Re:Crime

[mehrotra.akash]

Do they really store ALL email traffic, or just profile and store from selected accounts?
The 3GB of mails from my GMail consisting of newsletters and college projects, and millions of other accounts like mine: arent they essentially useless and a waste of space for them?

Re:Crime

Do they really store ALL email traffic, or just profile and store from selected accounts? The 3GB of mails from my GMail consisting of newsletters and college projects, and millions of other accounts like mine: arent they essentially useless and a waste of space for them?

Suppose you had a yottabyte of disk storage. 3GB isn't just a drop in the bucket, it's not even a grain of sand at the beach.

Car Analogy: Most of us break the odd traffic law every now and then. Very rarely, does anybody get caught. At the instant Officer Friendly pegs you on radar doing 35 in a 30 zone, he'd very much like to be able to check your driving history. If there were a giant database of everyone's GPS logs, he could tell whether you were just in a hurry that morning, the sort of driver who usually drives precisely 4 (or 9) miles an hour over the posted speed limit, or if you do 120 in a 60 zone whenever there aren't any cops around. If Officer Friendly had access to that data, he'd be better able to judge whether or not to pull you over.

For speeding, it's not worth logging the movements of every car and correlating them with local speed limits at the time the log was written.

For other things, it probably is.

From NSA's point of view, right now your gmail account is noise. But everyone's political views change over time as a natural part of the process of growing up. Sometimes things go wrong, and perfectly normal people who hold perfectly normal views turn into monsters. There's a 99.99999% probability that you're not one of them. But for the sake of 3 lousy gigs out of a yottabyte, there's a 100% chance that someone's 3GB of noise will contain signal.

Since they don't posess a time machine that can peer into the future, they don't, and can't, know whose 3GB-of-noise will eventually contain a signal 20 years from now. But 20 years from now, they will have a time machine that can peer back 20 years into the past.

Re:Crime

[dave420]

The Austrians did it, and they didn't install a backdoor. So basically you're crying about something that didn't happen.

Re:Crime

They have them all since ~2006. Alleged source: http://www.democracynow.org/2012/4/20/exclusive_national_security_agency_whistleblower_william
No source to this: they have quite a few of emails never passed US territory. Google the Atlas and Atlas II systems (collecting emails at a few hundred points world wide, with the pretext to identify spam).

Re:Crime

[Raenex]

Couldn't even bother to read the first paragraph of the article, eh?

THIS... IS... SLASHDOT!

Re:Crime

[Jeng]

Problems with that sort of data mining is the enormous amounts of information one would have to store to hopefully have some information that is helpful, and you don't always know what is going to be helpful.

As an example I have stated in numerous topics that there are few prominent people I would like to see shot, therefor it makes sense for the government to then begin logging all my posts with the thinking that if I did plan on doing something or I did something already they would already have a case against me ready to go.

The problems happen when hundreds of thousands of people or more start saying these things, then exactly what they want to look for ends up being noise.

Re:Crime

[flonker]

There is a simple solution to this. Encrypt each connection to a remailer using an authenticated transient key. Something like SSL. I don't know if it's being done or not, but it seems pretty obvious, and it definitely protects against eavesdroppers gaining the key and decrypting past messages.

other interesting questions raised

[nimbius]

include could the FBI briing a rogue remailer online using the image?
why wasnt full disk encryption used in this case to store the private keys?
in my opinion everything from the case fans to the bolts in the mounting rails on this server are now tainted. Sell it on ebay and build a new one.

Re:other interesting questions raised

[betterunixthanunix]

include could the FBI briing a rogue remailer online using the image?

How would the image help them? The FBI can set up a honeypot remailer any time they want, with or without the secret keys of another remailer.

why wasnt full disk encryption used in this case to store the private keys?

Elsewhere in the thread the operator stated that had WDE been in use, he would still have given the police his key. Why would a remailer operator allow himself to be arrested just to protect strangers?

in my opinion everything from the case fans to the bolts in the mounting rails on this server are now tainted. Sell it on ebay and build a new one.

That is why the system cannot just be rebuilt overnight; parts must be procured, software must be obtained from a trusted source, etc.

Threat trails...

According to the link discussion, this came about as the result of a Pittsburgh bomb threat, as authorities try to trace the original sender.

Copying a whole hard disk seems a bit much. Especially since it's a foreign country. I guess if it were US, they would sieze the hardware instead. Still, I have to wonder about collateral data that went through that remailer. Say they find something unrelated but illegal. Jurisdiction go out the window here, or is the US really the gonna be world cop for the Internet? Or at least, only when it upsets them.

Signal to Noise

I hope others here and around are helping do their part, sending meaningless noise messages through the reamailer networks.

Re:remailer?

[Jeng]

I don't expect everyone to know everything about every topic, but I do expect people to make the effort to find out what something is before they put out a request for information.

And no it is not betterunixthanunix's fault that people viewing a news for nerds website can't figure out what a remailer is. A basic grasp of english tells you what a remailer is, and if you do not have a basic grasp of english you should be used to looking up words when viewing an english language website.

FBI & Technology

[Reasonable+Facsimile]

When I read the summary ("... forensic image of the hard disk"), I pictured an agent standing over a server taking a photo of the HDD (with a Polaroid camera).

Nothing would surprise me after reading this.

Re:remailer?

[Zero__Kelvin]

No. In the view of every competent Slashdotter out there, anyone who is ignorant enough to post the question here rather than using this handy little tool is an idiot.

Re:Are some of u spammers?

[Zero__Kelvin]

Because anonymous remailers are not designed and implemented for the use of Spammers any more than the Internet was. By your logic: Spammers use anonymous remailers so taking them down is good, and Spammers use the Internet, so taking it down is good. See the problem there?

Oblig. Austrian

[PPH]

"I'll be back!"

Life imitates art, because when he came back, he was pwnd by Connor.

Re:remailer?

[X0563511]

And nothing of value was lost.

Why was the key not in secure crypto processors?

[realxmp]

If we're going to trust these remailers then we need to do things properly. Key goes into the crypto processor, never comes out. Means someone can't just seize your server and image it then use that image to decrypt all traffic that passed through. If they want to try and get it out, fine but they'll need a guy with an Electron microscope to do so and they'll likely trip the tamper measures and bye bye key. If you're particularly paranoid you can even destroy your copy of the key once you've loaded it, this might mean changing your key if you have to move servers but it means that the service you offer is truly tamper evident. Plus you also have the added bonus that a dedicated hardware security module is usually quicker than your processor at doing encryption/decryption.

FOIA Request

Can I send in a FOIA request to get back that important email that I lost last week when my hard drive failed?

Backdoor

[Githaron]

While I realize this was not a US server, I am curious. Can the FBI legally install a backdoor into a US server without a warrant to specifically do so? I would assume not. Of course, I guess that wouldn't keep the FBI from illegally installing a backdoor.

Re:Backdoor

[timeOday]

Maybe they have a secret warrant? Maybe they don't have a warrant but intend to retroactively get one in the future by notifying a judge within the next 72 hours? Since 911 we are living in Jack Bauer land. Better hope the Good Guys never lose their moral compass.

Re:Backdoor

[Thing+1]

Since 911 we are living in Jack Bauer land. Better hope the Good Guys never lose their moral compass.

IIRC near the beginning of season 2, Jack Bauer killed a suspect in custody. I think the good guys lost their moral compass years ago... (Besides, what "good guys"? The government is just the last thug standing.)

email scrutinized and retained by third parties

[cmdurrett]

For private communication use postal mail.

Re:remailer?

[JasterBobaMereel]

Encryption keys were lost ...

Accountability works both ways

[sirlark]

In a democracy, just as the government is meant to be accountable to the people, the people are accountable for the government they choose. Democracy doesn't stop at the ballot box. This is something noone seems to get. Why does everyone hate Americans? Because of what their government does. And they keep on putting assholes in charge. Sure, not every American voted the same way, but as a democracy you (theoretically) have the power as a population to stop bad laws from being passed, and to stop bad actions from being taken... In general, people don't. It's called tacit consent. Bitch and whine all you want, and say you voted for the other guy, but you are implicitly condoning the actions of your government until you actively protest against them, either within the law (writing letter to your representatives, legal protests) or outside the law (civil disobedience).

Re:Accountability works both ways

[HiThere]

If the US were a democracy, then you would have a valid point. It isn't. Having two parties instead of one doesn't make it one, certainly not on any issue in which the two are in agreement.

Perhaps you are from a smaller place, so perhaps I should add that just about nobody knows anything about those candidates that hasn't been made public.

I will agree that if more people paid more attention to the publicly available information, they would be less surprised when the candidate they voted for "betrays" them. E.g., Obama voted for FISA while he was running for president. So I wasn't surprised that he's been an authoritarian president. He may still have been better than McCain would have been. He probably is, but there's no way to know for certain. But the SYSTEM DESIGN is corrupt. It's designed to foster corruption, and it is quite successful, most of the time. It does ensure that only the two wealthiest (in backing) candidates have a reasonable chance of being elected over any sizable area.

Re:Accountability works both ways

[sirlark]

Just because a candidate is well funded doesn't force you (or anyone) to vote for them, or their party. Also, just because your preferred candidate didn't get elected, doesn't mean the candidate who did get elected isn't your representative. You can still write them a letter. Just because your preferred candidates aren't in office doesn't mean you don't live in a democracy. It just means you're in a minority, and the majority (considered by the rest of the world collectively as "Americans") still vote the dumb assholes into office.

Please don't get me wrong, I am sympathetic to your situation, and I agree the system in America is severely biased. But it's still a democracy, and the people have the power to change if they would organize themselves. That they haven't yet, indicates the majority of the people are happy with the situation, and thus collective accountability applies

Re:Accountability works both ways

[Coren22]

Except, when you send a letter to a elected official, you get a form letter response that boils down to "I didn't read your letter, and don't care what it said anyways". Do you really think that it is possible for the populous of the US to influence their elected representatives?

Re:Accountability works both ways

[sirlark]

Yes, they managed with SOPA. I'm not saying it'll happen often, or easily. But if the law is heinous enough, and the majority of people disagree with it (and are made aware of it -- this is probably the key) then anit-SOPA like activity has an effect.

It will be interesting to see if remailers work...

[cayenne8]

It is going to be very interesting to see if the FBI, can crack through the remailer system, and actually find the person that did this.

I mean, if the person they're after, used the remailer system as it is supposed to work...it "should" be uncrackable and untraceable.

It will be interesting to see the system go through what I have to guess is the first actual hard core test it has ever gone through.

Federal Backup Service

[kawabago]

Send all your data through the US email system then if you have a catastrophic loss you can just use a freedom of information request to get a copy of your data!

Re:remailer?

[mydn]

Why was this modded flamebait? He was responding to an idiot. It took more effort for the AC to post to Slashdot than it would have taken for him or her to look it up. I can't even say that the AC was too damned lazy to look it up, since it actually required more effort to post to Slashdot and then review responses. Jeng had the decency to provide the AC with the information requested, and also took steps to correct the idiotic behavior.

My own post may disappear because I might mod Jeng's post up as informative.

http://lmgtfy.com/?q=remailer

transparent remailers

[Onymous+Coward]

If remailers are getting taken down because authorities want images of their hard drives, what about just giving that to them? Pre-emptively? The hard drives should have nothing revealing on them, I think. Is that your understanding, too? If so, then remailers could continue to operate despite law enforcement investigation.

The sticking points I see:

• thermal freezing of RAM for memory recovery may make physical confiscation still desirable
• the attackers may not believe the accuracy of your hard drive content reports
• (ad hoc) hard drive reports may still somehow leak information and undermine anonymity
• knowing exact software state (which programs and versions being used and their configurations) may increase vulnerability to intrusion

My intuition says it may be possible to overcome each of these.

Re:remailer?

[Jeng]

Up to +1 Flamebait

I really should get some sort of achievement for that.

How about...

[hesaigo999ca]

Why not try and induce a mass media frenzy that can focus on twhen the FBI has found leaks, and compromised particular networks, specifically the ones that are responsible for the worst spam. Then attach all sorts of fake info about busts, raids, etc...and that they are looking for more of the individuals associated through C&Cs and will use the ip list to track them down.

This would lead to all or any of the people using the C&C to stop right away for fear of getting caught and laying low until it tides over, even though the threat is fake and therefor without costing any money but lying to media a little, you brought down temporarily the amount of spam out there.

Re:Why was the key not in secure crypto processors

[mwfischer]

Your mood will change when you have a bunch of people with M4s pointed at your head at 4AM local time. I suspect you don't run for the "delete" button.

http://xkcd.com/538/ also XKCD

Re:Is this about bomb threats?

[nurb432]

Right, it looks as a decent process was followed here. FBI found came up with a potential issue, made a request thru the local government and made their case. Their local court ruled on the request and produced a warrant.

They imaged the machines for later infestation by the FBI, instead of asking for confiscation, so while there was a bit of downtime it wasn't a knock out blow.

Re:Why was the key not in secure crypto processors

[realxmp]

Which was why I said destroy your copy of the key once you've loaded it... It's far more likely you'd be compelled by a court order than an M4 anyway. The point being if the only copy of the private key is in the crypto processor then it doesn't matter whether your opponent uses rubber hose cryptography or has a court order, because you don't have a copy of the key to give them and they know that because you've advertised that fact before hand.

NSA criminals

[TiggertheMad]

From NSA's point of view, right now your gmail account is noise. But everyone's political views change over time as a natural part of the process of growing up. Sometimes things go wrong, and perfectly normal people who hold perfectly normal views turn into monsters. There's a 99.99999% probability that you're not one of them. But for the sake of 3 lousy gigs out of a yottabyte, there's a 100% chance that someone's 3GB of noise will contain signal.

And this is what is wrong with America. People will go to any end to have 100% safety, including sell out their rights and privacy if they think there is an IOTA of a chance it will protect their measly worthless backsides.

I am proud to say I believe in freedom and the beliefs of the founding fathers.I am willing to die for the country in the name of freedom. I don't want to, but I accept that risk as a cost of living in a free society. If that means that there is a small chance that I die because the plane/train/buss I am on destroyed in a terrorist attack, I freely accept that risk. The rest of America needs to wake up and realize that selling privacy and freedom will not buy them any more safety and security.

Data intercept is just plain wrong. Nobody has license to spy on America domestically, there is a reason why warrants are required legally to engage in surveillance.

Re:Why was the key not in secure crypto processors

[coofercat]

...or, to avoid 'specialist' hardware (and thus bring it into the realm of a $10/month VM), would it be possible for the machine to boot up and wait for a key to be sent to it, which it would store only in RAM?

This idea suggests it might be possible for the FBI to nab a server and actually get nothing at all. If they had some way to breakpoint the system and read the RAM then presumably they'd get everything though (which the crytpo chip wouldn't be vulnerable to).

This method also means it would be possible to setup a cluster of servers in disparate locations, but have them keyed from machines in other locations. If they keys got delivered by email, then it could be considerably difficult to work out where the keys came from, and thus make it hard to 'cut off the head' and destroy the cluster.

Going further, I guess you could set up VPNs between remailers so that machine A receives an email, but actually sends it to machines B and C to have it decrypted. Machine B just sends the message right back, whereas C decrypts it and sends it back. Thus, you wouldn't know which machine had actually done the work, and thus which machine to subpoena. This method is a lot more complicated, and I'm sure needs a lot more thinking about (and would need one hell of an implementation not to have a backdoor in it).

All this said, I have no idea what I'm talking about. For some reason I've always enjoyed the mental challenge of working out how to overcome these sorts of problems though.