FBI Compromises Another Remailer

betterunixthanunix writes "Another remailer has been compromised by the FBI, who made a forensic image of the hard disk of a remailer located in Austria. The remailer operator has reissued the remailer keys, but warns that messages previously sent through the remailer could be decrypted. The operator also warns that law enforcement agents had an opportunity to install a back door, and that a complete rebuild of the system will take some time."

wtf fbi

[X0563511]

Why the fuck are you intruding into and altering foreign systems? That's not your fucking jurisdiction or job!

Leave that shit to the intelligence agencies, if someone must do it.

Re:wtf fbi

[hendridm]

If you read the thread, it was Austrian authorities that took the image at the request of U.S. authorities.

Re:wtf fbi

[X0563511]

If that's true, I don't understand how this (from the summary above) is possible: "The operator also warns that law enforcement agents had an opportunity to install a back door"

Unless they just installed the backdoor into their image, for some reason. They would have had to have access to the live system to do this part.

Re:wtf fbi

Austrian Law Enforcement took a disk image, meaning they had direct access to the server. The Austrian's did this at the behest of the FBI. So yes, law enforcement could have installed a backdoor while they had access.

Re:wtf fbi

ASSISTANCE REQUEST

To: Federal Bureau of Investigation
From: Sealand Government

Please provide us soonest with hard drive images of the MegaUpload servers and RAID configuration parameters.

Thank you.

Re:wtf fbi

[betterunixthanunix]

Read the post; they did have access to the live system. The operator does not think it is likely that a backdoor was installed, but as a security precaution has indicated that the system will eventually be rebuilt (probably with new keys issued).

Re:wtf fbi

[a90Tj2P7]

They didn't. No one did. The admin just told everyone "Depending on how paranoid you are, you may assume the machine is backdoored, since the authorities have had access".

Re:wtf fbi

[Mindscrew]

The U.S. is not a democracy.

The U.S. is a Democratic Republic. Your vote is simply there to elect a representative of "the people". That elected person then votes how they see fit.

Its how easy these elected people can be payed off that's that problem.

Even "your" candidate is most likely being paid by somebody with a lot of money and an agenda.

Re:wtf fbi

[skywire]

You are so naive. Democracy is merely the latest in a line of mechanisms used to legitimize the state in the eyes of its subjects. If one could actually change the policies of the state by "trying to convince your neighbours to vote for someone", then the ruling elite would have to turn to a new legitimization mechanism. One can hardly be held morally responsible for the acts of others over whom one does not exercise agency or coercive influence.

Re:wtf fbi

[bravo_2_0]

You are right that the U.S. is not a democracy but it is NOT a Democratic Republic. It's a Constitutional Republic.

Re:wtf fbi

[MrLizardo]

In a pure democracy the people vote for *laws* not representatives. That's why the US is considered a Democratic Republic (or a *Representative* Democracy). It has nothing to do with the voting method and *everything* to do with what people get to vote for.

Re:wtf fbi

And through partisan gerrymandering and constant corruption, the USA isn't even a representative democracy any more, it's a corporate oligarchy.

Re:wtf fbi

[Joce640k]

I think local authorities might have issued a court order requiring a set of messages to be decrypted.

Not too many people have problems with following court orders for genuine criminal investigations. It's the mass-scanning, fishing expeditions they have a problem with.

The old KGB/Stasi bosses must be having a real laugh at the way the USA is acting lately. Read all your mail, demand papers and feel you up before you can travel anywhere, more people in prison than any other country.

Americans used to joke about all that sort of stuff but guess what...?

Re:wtf fbi

[mindbuilder]

US law now allows the military to imprison you for life without trial. See the NDAA. or http://www.youtube.com/watch?v=AKaTxjxnYfE This was signed into law by Obama. There is an exemption for American citizens from the requirement that the military take them to Guantanamo Bay, but the exemption is only to the requirement, the military still has the OPTION to imprison you forever without trial. The law says it is only for suspected terrorists, but the law only requires suspicion, not proof, and anyone can be suspected of being a terrorist. It has been claimed that there is a requirement for one hearing before a judge but I haven't seen that in the law. It boggles my mind that Congress and Obama think it is a good idea to make it legal for the military to secretly snatch you in the middle of the night and imprison you for life without trial on mere suspicion.

Re:Another question

[Jeng]

The remailers are not the target, it's users are.

"Could be decrypted"

[Beryllium+Sphere(tm)]

Not if they were encrypted to the end recipient's public key. If not, they were plaintext in transit and possibly on the ISP's server.

Re:"Could be decrypted"

[arth1]

Indeed. I'm not terribly familiar with anonymous remailers, so I don't understand what the keys are for. Why does an anonymous remailer need encryption keys in the first place? If I send them an email, asking them to resend it somewhere else, and they don't log who sends them email, isn't that enough to provide anonymity?

No. If you e-mail the remailer unencrypted, DHS/NSA/FBI can snoop the e-mail en route to the remailer, seeing what you wrote and who you sent it to.
If you send the e-mail encrypted to the remailer, the agencies won't know what's in the e-mails or who it goes to.

Re:"Could be decrypted"

[betterunixthanunix]

Which is why people typically send messages through remailer chains, to make that sort of attack harder. Yes, they could just compromise the whole system, which is why the low number of remailers in operation is so troubling.

Re:remailer?

[Jeng]

I'm going to take this opportunity to post a link to information about remailers, but I think you are an idiot for asking.

http://www.andrebacard.com/remail.html

Re:remailer?

[SJHillman]

An anonymous remailer is a server that receives messages with embedded instructions on where to send them next, and that forwards them without revealing where they originally came from.

http://en.wikipedia.org/wiki/Anonymous_remailer

So what this really says.....

[3seas]

....is that the FBI is a criminal organization.

Anonymous remailers are set up for reason of protection of those with information they want to get out but can as well suffer from a repressive regime, otherwise risking death if not done anonymously. Even universities of law have set such remailer up in respect of the law, ethics and democracy.

Perhaps there is a jail cell next to Bradly available for these. Naw.... not a chance.... somebody is going to die and that will make it ok.

What an upside down world we live in... Ready to flip it right side up?

Re:So what this really says.....

[betterunixthanunix]

Making forensic copies of remailer disks, seizing remailers, etc. are not going to help them catch the guy who is sending these messages. Look at TFA -- the remailer operator simply reissued the keys. Taking a remailer offline is even more useless -- the FBI misses the opportunity to log messages travelling through the remailer, and to work their way backward through the remailer chain.

If the FBI were serious about catching this guy, they would not be making such a public spectacle -- the sender is going to stop using the remailer system, or else the sender is already relying on more than just remailers (e.g. Remailing through Tor from an open Wifi access point). The point of these high-profile raids is to attack the remailer system head-on; law enforcement agencies generally want to shut down anonymity systems, and these bomb threats present the perfect opportunity to attack the system with legal justification.

Re:Crime

[v1]

the problem here is that the US is *known* to be storing ALL email traffic that routes through the united states. Sounds like a daunting task, but there's a reason they have all these big high security data centers all over the place and have "high security rooms" at all the telcos and large ISPs. That traffic gets siphoned off to their data centers for storage for later in case they need it. There's a simple reason why those places have petabytes of storage.

So there is never a question of "but they'd have to have been watching for that email last week/month/year and it's long since been sent and removed from caches". No. They have it. They have them all, just in case. Watch Enemy of the State. Watch how they pull up satellite footage from hours and days ago. Same principle here, if you can record everything, it works like a time machine. (for the past anyway)

So yes, busting down a door and taking the remailer keys gives them 100% access to 100% of the traffic that has been sent by that remailer at ANY point in the past where it crossed through a US ISP.

The truly disgusting part of this is they got the KEYS. Technically all they NEEDED was to hand over the encrypted message to the AU authorities, they break down the door and use the key to decode the message, and turn over the message, then wipe their copy of the key. That would be the "proper" way to do it, not to abuse the system, but instead they handed over the KEYS themselves, and now the US can decrypt truckloads of hard drives of emails that they have NO business having access to. That is the true crime here. It's like having a legal reason to subpoena a safe deposit box at a bank, and the bank hands them over a master key that opens every box in the vault and lets them look through anything they want. That's just WRONG.

Every time someone sends a bomb threat they can pull this stunt, it's like christmas over at the NSA, "we got another key! lets see what goodies we can find!" Talk about an incentive for abuse... Normally I don't go "tinfoil hat" on things, but THIS is actually an instance where I could start to buy into someone suggesting the NSA/etc forging a bomb threat just to get access to another random footlocker of encrypted data they want a peek at.

Re:Crime

[bws111]

Couldn't even bother to read the first paragraph of the article, eh?

Today, the police arrived with a court order that allowed them to
create a forensic disk image of the austria remailer. This apparently
was on request of the US authorities, related to the Pittsburgh bomb
threats. (emphasis mine)

It was the Austrian police who had a valid court order who 'intruded'. As for the 'added a backdoor':
Depending on how paranoid you are, you may assume the machine is
    backdoored, since the authorities have had access.

Doesn't say the FBI ever had access. Doesn't say there IS a backdoor, just that if you're paranoid yo umay assume there is one.

FBI & Technology

[Reasonable+Facsimile]

When I read the summary ("... forensic image of the hard disk"), I pictured an agent standing over a server taking a photo of the HDD (with a Polaroid camera).

Nothing would surprise me after reading this.

Re:other interesting questions raised

[betterunixthanunix]

include could the FBI briing a rogue remailer online using the image?

How would the image help them? The FBI can set up a honeypot remailer any time they want, with or without the secret keys of another remailer.

why wasnt full disk encryption used in this case to store the private keys?

Elsewhere in the thread the operator stated that had WDE been in use, he would still have given the police his key. Why would a remailer operator allow himself to be arrested just to protect strangers?

in my opinion everything from the case fans to the bolts in the mounting rails on this server are now tainted. Sell it on ebay and build a new one.

That is why the system cannot just be rebuilt overnight; parts must be procured, software must be obtained from a trusted source, etc.

Re:Crime

[betterunixthanunix]

So yes, busting down a door and taking the remailer keys gives them 100% access to 100% of the traffic that has been sent by that remailer at ANY point in the past where it crossed through a US ISP.

It also gives other remailer operators a chance to reissue their keys and destroy the old keys -- which is basically what needs to happen when you have an agency going around demanding disc images like this. I am not aware of this happening, though.

Re:Are some of u spammers?

[Zero__Kelvin]

Because anonymous remailers are not designed and implemented for the use of Spammers any more than the Internet was. By your logic: Spammers use anonymous remailers so taking them down is good, and Spammers use the Internet, so taking it down is good. See the problem there?

Why was the key not in secure crypto processors?

[realxmp]

If we're going to trust these remailers then we need to do things properly. Key goes into the crypto processor, never comes out. Means someone can't just seize your server and image it then use that image to decrypt all traffic that passed through. If they want to try and get it out, fine but they'll need a guy with an Electron microscope to do so and they'll likely trip the tamper measures and bye bye key. If you're particularly paranoid you can even destroy your copy of the key once you've loaded it, this might mean changing your key if you have to move servers but it means that the service you offer is truly tamper evident. Plus you also have the added bonus that a dedicated hardware security module is usually quicker than your processor at doing encryption/decryption.

Backdoor

[Githaron]

While I realize this was not a US server, I am curious. Can the FBI legally install a backdoor into a US server without a warrant to specifically do so? I would assume not. Of course, I guess that wouldn't keep the FBI from illegally installing a backdoor.

Re:Backdoor

[timeOday]

Maybe they have a secret warrant? Maybe they don't have a warrant but intend to retroactively get one in the future by notifying a judge within the next 72 hours? Since 911 we are living in Jack Bauer land. Better hope the Good Guys never lose their moral compass.

Re:Crime

Do they really store ALL email traffic, or just profile and store from selected accounts? The 3GB of mails from my GMail consisting of newsletters and college projects, and millions of other accounts like mine: arent they essentially useless and a waste of space for them?

Suppose you had a yottabyte of disk storage. 3GB isn't just a drop in the bucket, it's not even a grain of sand at the beach.

Car Analogy: Most of us break the odd traffic law every now and then. Very rarely, does anybody get caught. At the instant Officer Friendly pegs you on radar doing 35 in a 30 zone, he'd very much like to be able to check your driving history. If there were a giant database of everyone's GPS logs, he could tell whether you were just in a hurry that morning, the sort of driver who usually drives precisely 4 (or 9) miles an hour over the posted speed limit, or if you do 120 in a 60 zone whenever there aren't any cops around. If Officer Friendly had access to that data, he'd be better able to judge whether or not to pull you over.

For speeding, it's not worth logging the movements of every car and correlating them with local speed limits at the time the log was written.

For other things, it probably is.

From NSA's point of view, right now your gmail account is noise. But everyone's political views change over time as a natural part of the process of growing up. Sometimes things go wrong, and perfectly normal people who hold perfectly normal views turn into monsters. There's a 99.99999% probability that you're not one of them. But for the sake of 3 lousy gigs out of a yottabyte, there's a 100% chance that someone's 3GB of noise will contain signal.

Since they don't posess a time machine that can peer into the future, they don't, and can't, know whose 3GB-of-noise will eventually contain a signal 20 years from now. But 20 years from now, they will have a time machine that can peer back 20 years into the past.

email scrutinized and retained by third parties

[cmdurrett]

For private communication use postal mail.

Accountability works both ways

[sirlark]

In a democracy, just as the government is meant to be accountable to the people, the people are accountable for the government they choose. Democracy doesn't stop at the ballot box. This is something noone seems to get. Why does everyone hate Americans? Because of what their government does. And they keep on putting assholes in charge. Sure, not every American voted the same way, but as a democracy you (theoretically) have the power as a population to stop bad laws from being passed, and to stop bad actions from being taken... In general, people don't. It's called tacit consent. Bitch and whine all you want, and say you voted for the other guy, but you are implicitly condoning the actions of your government until you actively protest against them, either within the law (writing letter to your representatives, legal protests) or outside the law (civil disobedience).

Re:Accountability works both ways

[HiThere]

If the US were a democracy, then you would have a valid point. It isn't. Having two parties instead of one doesn't make it one, certainly not on any issue in which the two are in agreement.

Perhaps you are from a smaller place, so perhaps I should add that just about nobody knows anything about those candidates that hasn't been made public.

I will agree that if more people paid more attention to the publicly available information, they would be less surprised when the candidate they voted for "betrays" them. E.g., Obama voted for FISA while he was running for president. So I wasn't surprised that he's been an authoritarian president. He may still have been better than McCain would have been. He probably is, but there's no way to know for certain. But the SYSTEM DESIGN is corrupt. It's designed to foster corruption, and it is quite successful, most of the time. It does ensure that only the two wealthiest (in backing) candidates have a reasonable chance of being elected over any sizable area.

It will be interesting to see if remailers work...

[cayenne8]

It is going to be very interesting to see if the FBI, can crack through the remailer system, and actually find the person that did this.

I mean, if the person they're after, used the remailer system as it is supposed to work...it "should" be uncrackable and untraceable.

It will be interesting to see the system go through what I have to guess is the first actual hard core test it has ever gone through.

Federal Backup Service

[kawabago]

Send all your data through the US email system then if you have a catastrophic loss you can just use a freedom of information request to get a copy of your data!

NSA criminals

[TiggertheMad]

From NSA's point of view, right now your gmail account is noise. But everyone's political views change over time as a natural part of the process of growing up. Sometimes things go wrong, and perfectly normal people who hold perfectly normal views turn into monsters. There's a 99.99999% probability that you're not one of them. But for the sake of 3 lousy gigs out of a yottabyte, there's a 100% chance that someone's 3GB of noise will contain signal.

And this is what is wrong with America. People will go to any end to have 100% safety, including sell out their rights and privacy if they think there is an IOTA of a chance it will protect their measly worthless backsides.

I am proud to say I believe in freedom and the beliefs of the founding fathers.I am willing to die for the country in the name of freedom. I don't want to, but I accept that risk as a cost of living in a free society. If that means that there is a small chance that I die because the plane/train/buss I am on destroyed in a terrorist attack, I freely accept that risk. The rest of America needs to wake up and realize that selling privacy and freedom will not buy them any more safety and security.

Data intercept is just plain wrong. Nobody has license to spy on America domestically, there is a reason why warrants are required legally to engage in surveillance.