FBI Seeks To Legally Hack You If You're Connected To TOR Or a VPN

SonicSpike writes The investigative arm of the Department of Justice is attempting to short-circuit the legal checks of the Fourth Amendment by requesting a change in the Federal Rules of Criminal Procedure. These procedural rules dictate how law enforcement agencies must conduct criminal prosecutions, from investigation to trial. Any deviations from the rules can have serious consequences, including dismissal of a case. The specific rule the FBI is targeting outlines the terms for obtaining a search warrant. It's called Federal Rule 41(b), and the requested change would allow law enforcement to obtain a warrant to search electronic data without providing any specific details as long as the target computer location has been hidden through a technical tool like Tor or a virtual private network. It would also allow nonspecific search warrants where computers have been intentionally damaged (such as through botnets, but also through common malware and viruses) and are in five or more separate federal judicial districts. Furthermore, the provision would allow investigators to seize electronically stored information regardless of whether that information is stored inside or outside the court's jurisdiction.

Harvest Exploits

1. Run FF via TOR using valgrind.
2. Trace data flow
3. Harvest Exploit
4. Harden FF
5. Sell Exploit

Re:Bad idea

[TWX]

I wouldn't be surprised if people put up honeypots on Tor just to mess with 'em, and log all of the output over serial or something so that even if they get in, they can't purge the logs of their attempts.

fan hitting event on the horizon

[galaad2]

ALL major online email providers (google mail, yahoo, microsoft, etc.) and all major company networks work internally by using a VPN between the various locations that those companies have around the country/world... => they are going to be hacked... and this will raise an enormous shitstorm.

Re:Please do

[oodaloop]

I had this proof of concept for how to infest even well guarded VM-secured analysis centers to the point of taking them offline or making them my bitch on my PC

Good luck with that. I don't know if you watched Skyfall one too many times, but all of those centers are disconnected from the internet and run on their own network, precisely for this reason.

Phase 1

[frovingslosh]

This is just Phase 1. Once this is in place then in Phase 2 if you ever use any service that uses https then you must be trying to hide something and so they can take all of your data. Same for any other use of encryption, you might be a criminal or terrorist hiding something. And if you ever send anything through the mail in a sealed envelope, well you must be a criminal trying to hide stuff.

Re:Bad idea

[Jason+Levine]

They would care because they don't want the FBI hacking into their employee's computers while connected to the company servers via VPN. This "caring" might be due to caring about their employees (rare but it does exist in corporations), caring about their own computer security (much more likely), or worry over a FBI VPN hack uncovering corporate wrong doing (definitely possible). Companies that rely on VPN will use their lobbying might to fight this and there are some big companies that rely on VPN. I don't see this as gaining traction.

Then again, if the government screams "TERRORISM" or "PROTECT THE CHILDREN" loud and often enough, they've proven they can get almost anything passed. It's time someone changed the country's root passwords!

Baseless fearmongering at its finest

[Tuckdogg]

Articles like this often get written because the author doesn't really understand the law, and rather than really trying to understand what's going on they just guess. The claims made in this article are so wildly off-base, however, that it makes me question whether the author is just trolling people.

Contrary to what the article suggests, Federal Criminal Rule 41(b) does not have a thing to do with what evidence law enforcement agencies are required to show to get a warrant, nor does it authorize the FBI (or anyone else) to get any particular type of warrant. Rule 41(b) is about VENUE; e.g., if you've already got enough evidence to get a search warrant, what judge (in what federal District) is the judge that you are supposed to present that evidence to?

You can read Rule 41(b) here: http://www.law.cornell.edu/rul...

The basic rule it sets out is that, when you want a warrant, you ask a judge located within the District where the person/property you want to search is located. There are exceptions to that basic rule, much like any other rule, because it's not always a simple matter of "X is located here." Sometimes things are located across several different Districts, sometimes they're mobile and can be easily moved to another District, etc. This is why there are currently 5 subsections to 41(b), each dealing with slightly different semi-unusual factual scenarios. At the end of the day, each exception is there for a very simple reason: to clearly and unambiguously tell federal law enforcement agencies how to identify the judge they are supposed to go to if they want to get a search warrant.

The proposal for changing Rule 41(b) is located here: http://justsecurity.org/wp-con...

What the DOJ is asking for is a scenario not currently covered by Rule 41(b). That being...what happens if you are dealing with someone you know to have committed a crime, you have enough evidence to get a search warrant, but the perpetrator of the crime is using some sort of technological means (like encryption, IP masking, etc.) to prevent you from finding the exact physical location of whatever you want to search? As of right now, it is not clear who the right judge would be to issue that warrant. The only thing the proposal would do is say that, if you can't identify the physical location of the computer to be searched (and therefore do not know which federal District it's located in), then you can go get your warrant from a judge in the District where the target of the crime was located.

Example: I'm an evil h@xx3r, and I hack some computers at the GooglePlex. I have masked my IP address, so the FBI does not know exactly where I'm at. Under current Rule 41(b), it's not clear who the right judge would be to try to get a warrant from. Under "new" Rule 41(b), they can go to a judge in California since that's where the GooglePlex is located.

That's literally the only thing this proposal would change. It says nothing about VPNs or TOR networks. It does not give the FBI (or any other law enforcement agency) the authority to hack your computer or your phone whenever they want. It doesn't even grant them the authority to do that with a warrant, because they already have the ability to do that with a warrant. It also doesn't say anything about how much evidence they have to present to get the warrant, because Rule 41(b) has nothing to do with that. The standards for search warrants are exactly the same as they have been for years; this proposal would only clarify who the right judge is to issue the warrant.

I don't know a whole heck of a lot about the "FEE" is, but if this article is representative of their work and/or legal abilities then color me unimpressed.

Treason is one reason for the existence of 2nd

[mpercy]

Ever heard of that treasonous document that starts out "When in the Course of human events it becomes necessary for one people to dissolve the political bands which have connected them with another and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature's God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation."?

It goes on to say: "Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn that mankind are more disposed to suffer, while evils are sufferable than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security."

The signers of the Declaration of Independence and the people who fought for the Colonies independence were committing treason.

Indeed, the 2nd Amendment self-state purpose is to allow the citizens to preserve their freedom from a despotic federal government that was being formed by the same document. Rather, the government being formed could become despotic and need to be thrown off, and the the 2nd provides the basis for that.

This is pretty clear from various Founder's explanations, e.g. Alexander Hamliton "[I]f circumstances should at any time oblige the government to form an army of any magnitude[, ] that army can never be formidable to the liberties of the people while there is a large body of citizens, little, if at all, inferior to them in discipline and the use of arms, who stand ready to defend their own rights and those of their fellow-citizens."

The Framers had *just* completed an armed (and treasonous) insurrection of their own, and were keenly aware of the fact that any government they might form could (and probably would) become despotic. The 2nd at least put a floor under the people's ability to fight back against that potential.