Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Seeks To Legally Hack You If You're Connected To TOR Or a VPN

Posted by timothy on from the well-you-look-guilty-from-here dept.

SonicSpike writes The investigative arm of the Department of Justice is attempting to short-circuit the legal checks of the Fourth Amendment by requesting a change in the Federal Rules of Criminal Procedure. These procedural rules dictate how law enforcement agencies must conduct criminal prosecutions, from investigation to trial. Any deviations from the rules can have serious consequences, including dismissal of a case. The specific rule the FBI is targeting outlines the terms for obtaining a search warrant. It's called Federal Rule 41(b), and the requested change would allow law enforcement to obtain a warrant to search electronic data without providing any specific details as long as the target computer location has been hidden through a technical tool like Tor or a virtual private network. It would also allow nonspecific search warrants where computers have been intentionally damaged (such as through botnets, but also through common malware and viruses) and are in five or more separate federal judicial districts. Furthermore, the provision would allow investigators to seize electronically stored information regardless of whether that information is stored inside or outside the court's jurisdiction.

42 of 385 comments (clear)

  1. Bad idea by AmiMoJo · · Score: 4, Insightful

    If the FBI starts to attack Tor and VPN users, those users are going to fight back. If they are not in the US the FBI might not be able to stop them doing it either.

    All this kind of thing does is make the US a more legitimate target for cyber attacks. The NSA and GCHQ are already fair game for hacking because they try to illegally hack you, so it's just self defence.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Bad idea by TWX · · Score: 5, Interesting

      I wouldn't be surprised if people put up honeypots on Tor just to mess with 'em, and log all of the output over serial or something so that even if they get in, they can't purge the logs of their attempts.

      --
      Do not look into laser with remaining eye.
    2. Re:Bad idea by ron_ivi · · Score: 4, Insightful

      Most VPNs are corporate.

      I imagine corporations will fight back legally if/when their employees start getting hacked by the FBI.

    3. Re:Bad idea by davydagger · · Score: 4, Insightful

      I think thats the point. Once they start fighting back, you can now openly declare war, and then have everyone who even remotely looks suspicious arrested.

      Read, the war on nerds continues

      Realisticly what can we do?

      How about this, until this happy horse shit stops, lets all boycott working for the federal government. Take a job somewhere else. Unexpectedly find reasons to be somewhere else when they ask for help. Play internet detective and debunk all their theories on digital warfare.

      Someone else can wage digital war on North Korea, Syria, Russia, and China. Someone else can keep state secrets safe. Just pass this around until we get a complete boycott on working for Uncle Sam.

      Lets also continue to heckle recruiters and inform the n00bs to stay away from these people.

      We don't need a war, we need to go on strike.

    4. Re:Bad idea by ShanghaiBill · · Score: 5, Insightful

      If the FBI starts to attack Tor and VPN users, those users are going to fight back.

      Both TFA and the summary wildly misrepresent what this is all about. The FBI is NOT asking for permission to attack anyone that happens to be using Tor or a VPN. What they are asking for is the ability to get a warrant to search a particular Tor/VPN node, that appears to be engaging in criminal activity, without knowing who the owner is or where the system is physically located.

    5. Re:Bad idea by PhilHibbs · · Score: 5, Insightful

      Why would my employer fire me for using the corporate VPN from home? That's precisely what the VPN is for!

    6. Re:Bad idea by PhilHibbs · · Score: 5, Informative

      I'm sure Airbus cared when the GCHQ snooped on the details of a bidding process and handed over the details to Boeing.

    7. Re:Bad idea by Jason+Levine · · Score: 4, Interesting

      They would care because they don't want the FBI hacking into their employee's computers while connected to the company servers via VPN. This "caring" might be due to caring about their employees (rare but it does exist in corporations), caring about their own computer security (much more likely), or worry over a FBI VPN hack uncovering corporate wrong doing (definitely possible). Companies that rely on VPN will use their lobbying might to fight this and there are some big companies that rely on VPN. I don't see this as gaining traction.

      Then again, if the government screams "TERRORISM" or "PROTECT THE CHILDREN" loud and often enough, they've proven they can get almost anything passed. It's time someone changed the country's root passwords!

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    8. Re:Bad idea by meta-monkey · · Score: 4, Informative

      Yeah, it's not like the high-functioning sociopaths that seem so well-represented in the programmer population would be at all interested in the six-figure salaries offered by the secret government agencies with access to the most advanced and expensive computing resources on the planet, and may, with the blessing of the government, go crack and exploit all the things. I'm sure the "strike" will be very effective.

      --
      We don't have a state-run media we have a media-run state.
    9. Re:Bad idea by jandrese · · Score: 4, Insightful

      Wait till your corporations trade secrets are leaked because the FBI's collector was insecure.

      --

      I read the internet for the articles.
    10. Re:Bad idea by redmid17 · · Score: 4, Funny

      Do you know what a corporate VPN is?

      I only ask because it does not seem like you know what a VPN is, let alone a corporate VPN.

    11. Re:Bad idea by epyT-R · · Score: 3, Insightful

      I meant if you were using one on their system for something else as it would be breaking the law. The net result is that VPN use without a license will become a federal offense, like everything else.

    12. Re:Bad idea by redmid17 · · Score: 5, Insightful

      The ability to get a warrant "without providing specific details" and the person doesn't have to be within the court's jurisdiction.

      That's, um, just as troubling as it sounds.

    13. Re:Bad idea by ShanghaiBill · · Score: 4, Insightful

      That's, um, just as troubling as it sounds.

      Yes, it is troubling, and we should be having a rational discussion about that. Instead we have a lot of hysterical rants based on the wildly misleading headline, summary, and article, that imply that the FBI wants to "legally hack" anyone connected to TOR or a VPN. That is not at all what this is about. By trying to manufacture outrage about a phony issue, the author is obfuscating the real issue.

    14. Re:Bad idea by Chandon+Seldon · · Score: 5, Insightful

      You can't really separate those things. The simple fact of securing information is that once it's out you have zero control over where it goes.

      As a company, the only outside people who should get access to your information are your lawyers and entities that have signed an NDA. Unless GCHQ is going to sign an NDA, a competent Airbus managment can not tolerate snooping.

      --
      -- The act of censorship is always worse than whatever is being censored. Always.
    15. Re:Bad idea by TemporalBeing · · Score: 4, Insightful

      I imagine corporations will fight back legally if/when their employees start getting hacked by the FBI.

      Why would a corporation care?

      One word: Liability.

      Corporations would very much care because of liability concerns - both domestically to the US and foreign to other countries. It's already becoming enough of an issue that companies are taking to hosting data regionally instead of centrally just from a legal liability perspective.

      For instance, suppose there was conversation going on regarding what to disclose to the US government over the operations of a foreign subsidiary between the execs and their lawyers? Regardless of the topic, matter-at-hand, or end result that is protected conversation regardless of medium, and the existence of the VPN would mean they expected it to be carried out in private.

      And you can certainly bet the lawfirms will fight it too.

      --
      Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  2. Harvest Exploits by Anonymous Coward · · Score: 5, Interesting

    1. Run FF via TOR using valgrind.
    2. Trace data flow
    3. Harvest Exploit
    4. Harden FF
    5. Sell Exploit

  3. Also if you've ever used TOR or a VPN by Anonymous Coward · · Score: 3, Insightful

    Or if you know somebody who has used TOR or a VPN. Or if you know what TOR or VPN is. Or if you might know somebody who might possibly know someone else who could know what TOR or VPN is. In fact, the FBI just wants to hack you.

  4. Please do by Opportunist · · Score: 3, Funny

    My computer is not so well shielded against attacks. And you might want to take a good look at that "terror_cells_US.docx" file. Yes, you may have to activate macros, it has a bit of active content.

    What? Me hack the FBI? I swear, I never even thought about it. I had this proof of concept for how to infest even well guarded VM-secured analysis centers to the point of taking them offline or making them my bitch on my PC but I have no idea how it got there...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Please do by oodaloop · · Score: 3, Interesting

      I had this proof of concept for how to infest even well guarded VM-secured analysis centers to the point of taking them offline or making them my bitch on my PC

      Good luck with that. I don't know if you watched Skyfall one too many times, but all of those centers are disconnected from the internet and run on their own network, precisely for this reason.

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  5. Sure, you have the right to privacy, by Anonymous Coward · · Score: 5, Insightful

    but if you use it, that is grounds for us to take it away.

    Makes perfect sense in an inside the belt way sort of way.

  6. USPS by buback · · Score: 3, Insightful

    So the Postal service is still the most secure legally protected method for sending data. Just mail CDs.

    1. Re:USPS by alphatel · · Score: 4, Informative

      So the Postal service is still the most secure legally protected method for sending data. Just mail CDs.

      The USPS scans all mail
      The USPS monitors mail on behalf of the feds without any authorization.
      What's to stop them from opening it without a warrant? Sorry but the whole system is controlled and abused by your favorite government officials.

      Sidenote: CDs were replaced by DVDs and now Blu Rays. Just fyi if you want to send more than 700mb of crap.

      --
      When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
  7. Remember when you guys applauded Holder... by PeeAitchPee · · Score: 3, Informative

    ...just a few few days ago? How do you like him now? That's right, he's still smearing turds all over the Constitution, and having him gone will be one of the best things about Obama's terms finally ending.

  8. fan hitting event on the horizon by galaad2 · · Score: 4, Interesting

    ALL major online email providers (google mail, yahoo, microsoft, etc.) and all major company networks work internally by using a VPN between the various locations that those companies have around the country/world... => they are going to be hacked... and this will raise an enormous shitstorm.

    --
    root@127.0.0.1
    1. Re:fan hitting event on the horizon by ShaunC · · Score: 5, Insightful

      ALL major online email providers (google mail, yahoo, microsoft, etc.)

      That horse has already left the barn, they even poked fun at Google's internal setup with a doodle. There was no enormous shitstorm. Google responded by encrypting their internal traffic (or announcing that they did, anyway) and life went on. Millions upon millions of Americans simply don't care, and millions more actually want the government reading everyone's email because they think it protects us from them ay-rab turrists. Until the surveillance apparatus somehow fucks up football or The Voice or Pawn Stars, nobody's going to give a shit.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  9. work from home users by hawguy · · Score: 3, Insightful

    When I'm connected to my company's VPN connection, they route all of my traffic over that connection, sounds like this law is giving the feds carte blanche to hack all work-from-home users.

    1. Re:work from home users by DarkOx · · Score: 3, Insightful

      That's not what's meant by VPN in this context.

      "context" don't make me laugh. There is no application of context to modern law. All sides take advantage. The words are stretched and the intents are ignored until the law can practically mean anything the AG wants it to mean that day. "VPN" already has plenty of interpretations in the tech world once the legal world gets hold of it, it is certain to be interpreted as just about anything that isn't a direct essentially the most direct path between hosts available using a plaintext protocol.

      If you think otherwise you are crazy, or haven't been paying attention.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  10. As always, dick measuring between agencies by Trachman · · Score: 3, Informative

    NSA and others do it and will do it no matter what the law says, while their dime eyed lawyers continue telling that they are defending our liberties. FBI was also doing it, but now that the discussion is public, there are same voices, probably in-house lawyers, who foresee a case in the future where the litigation is lost if FBI will continue lying using the paralel construction, like they (and all others) always did.

    So now they want to legitimize something that is not legitimizable.

  11. Re:Locked Homes are Next? by neilo_1701D · · Score: 4, Informative

    They don't need to enter your home, locked or not, anymore:

    http://www.usatoday.com/story/...

    New police radars can 'see' inside homes

    At least 50 U.S. law enforcement agencies have secretly equipped their officers with radar devices that allow them to effectively peer through the walls of houses to see whether anyone is inside, a practice raising new concerns about the extent of government surveillance.

    Those agencies, including the FBI and the U.S. Marshals Service, began deploying the radar systems more than two years ago with little notice to the courts and no public disclosure of when or how they would be used. The technology raises legal and privacy issues because the U.S. Supreme Court has said officers generally cannot use high-tech sensors to tell them about the inside of a person's house without first obtaining a search warrant.

    The radars work like finely tuned motion detectors, using radio waves to zero in on movements as slight as human breathing from a distance of more than 50 feet. They can detect whether anyone is inside of a house, where they are and whether they are moving.

    Current and former federal officials say the information is critical for keeping officers safe if they need to storm buildings or rescue hostages. But privacy advocates and judges have nonetheless expressed concern about the circumstances in which law enforcement agencies may be using the radars — and the fact that they have so far done so without public scrutiny.

  12. Re:Corporations and Companies by neilo_1701D · · Score: 4, Insightful

    When are we going to get some lawmakers who actually understand the fucking technology?

    They understand the technology well enough. It's the Constitution they're having problems understanding.

  13. Phase 1 by frovingslosh · · Score: 3, Interesting

    This is just Phase 1. Once this is in place then in Phase 2 if you ever use any service that uses https then you must be trying to hide something and so they can take all of your data. Same for any other use of encryption, you might be a criminal or terrorist hiding something. And if you ever send anything through the mail in a sealed envelope, well you must be a criminal trying to hide stuff.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  14. Wow ... by gstoddart · · Score: 4, Insightful

    So it's true ... when they outlaw privacy, only criminals will have privacy.

    And then there's this:

    Furthermore, the provision would allow investigators to seize electronically stored information regardless of whether that information is stored inside or outside the court's jurisdiction.

    We want extraterritorial laws, with no judicial oversight.

    I'm sorry, but can the rest of the world decree that FBI agents should all be shot on sight as enemies of basic civil rights? The argument is about equally stupid as what the FBI claim.

    America, you have a problem, and you are making it the problem of everyone on the planet.

    Land of the free and home of the brave? You have to be fucking kidding us.

    --
    Lost at C:>. Found at C.
  15. Let's see if I got this right by real+gumby · · Score: 5, Insightful

    The US government funded Tor development and encourages its use as a way to avoid repressive governments and then considers its use in the US to be a suspcious act.

    The irony, it burns!

  16. 4th amendment requires specifics by MobyDisk · · Score: 3, Insightful

    From the article:

    ...without providing any specific details as long as the target computer location has been hidden through a technical tool like Tor or a virtual private network. It would also allow nonspecific search warrants...

    Text of the 4th amendment to the constitution:

    The right of the people to be secure in their persons, houses, papers, and effects,[a] against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

    The article is light on details, but if it is accurate, this looks like a straightforward violation of the 4th amendment. The devil is always in the details though. The article may be an oversimplification.

  17. Re:Locked Homes are Next? by gstoddart · · Score: 3, Insightful

    It's only for scanning buildings before entering to serve already-valid warrants.

    And what proof do you have of that? What assurances do you have they don't abuse this?

    Sorry, but assuming law enforcement gives a shit about the law, or will follow it, is now such a naive and moronic statement as to be bordering on delusional. Increasingly, law enforcement wants to get around the law and oversight, and just do whatever the hell they want.

    Which means you more or less have to assume they're going to misuse every tool in the book, and treat them like children.

    And a valid warrant? Don't make me fucking laugh. How many times have law enforcement broken into the wrong damned home and killed some poor schmuck who wasn't doing anything other than defending his home from masked assailants?

    I'm long past the point where I trust the actions, motivations, or ethics of the fucking police.

    Because apparently they either don't know the law, or don't care.

    Which is precisely why people don't trust them, and are growing hostile to them. If collectively the police don't give a shit about our rights, WTF would we give them more power with less oversight.

    Sorry, but this is bad policing by agencies who find following the law too inconvenient.

    --
    Lost at C:>. Found at C.
  18. Re:Locked Homes are Next? by gstoddart · · Score: 4, Insightful

    And then they'll outlaw that.

    Essentially anything which interferes with their ability to monitor your without restriction is now being deemed illegal.

    Soon, they'll make it illegal to have secrets in your head, and you must submit to mandatory questioning and reeducation.

    Sorry, but America has jumped the shark, and is taking down the whole world with them.

    And for some reason, people are blindly accepting this crap.

    --
    Lost at C:>. Found at C.
  19. Baseless fearmongering at its finest by Tuckdogg · · Score: 5, Interesting

    Articles like this often get written because the author doesn't really understand the law, and rather than really trying to understand what's going on they just guess. The claims made in this article are so wildly off-base, however, that it makes me question whether the author is just trolling people.

    Contrary to what the article suggests, Federal Criminal Rule 41(b) does not have a thing to do with what evidence law enforcement agencies are required to show to get a warrant, nor does it authorize the FBI (or anyone else) to get any particular type of warrant. Rule 41(b) is about VENUE; e.g., if you've already got enough evidence to get a search warrant, what judge (in what federal District) is the judge that you are supposed to present that evidence to?

    You can read Rule 41(b) here: http://www.law.cornell.edu/rul...

    The basic rule it sets out is that, when you want a warrant, you ask a judge located within the District where the person/property you want to search is located. There are exceptions to that basic rule, much like any other rule, because it's not always a simple matter of "X is located here." Sometimes things are located across several different Districts, sometimes they're mobile and can be easily moved to another District, etc. This is why there are currently 5 subsections to 41(b), each dealing with slightly different semi-unusual factual scenarios. At the end of the day, each exception is there for a very simple reason: to clearly and unambiguously tell federal law enforcement agencies how to identify the judge they are supposed to go to if they want to get a search warrant.

    The proposal for changing Rule 41(b) is located here: http://justsecurity.org/wp-con...

    What the DOJ is asking for is a scenario not currently covered by Rule 41(b). That being...what happens if you are dealing with someone you know to have committed a crime, you have enough evidence to get a search warrant, but the perpetrator of the crime is using some sort of technological means (like encryption, IP masking, etc.) to prevent you from finding the exact physical location of whatever you want to search? As of right now, it is not clear who the right judge would be to issue that warrant. The only thing the proposal would do is say that, if you can't identify the physical location of the computer to be searched (and therefore do not know which federal District it's located in), then you can go get your warrant from a judge in the District where the target of the crime was located.

    Example: I'm an evil h@xx3r, and I hack some computers at the GooglePlex. I have masked my IP address, so the FBI does not know exactly where I'm at. Under current Rule 41(b), it's not clear who the right judge would be to try to get a warrant from. Under "new" Rule 41(b), they can go to a judge in California since that's where the GooglePlex is located.

    That's literally the only thing this proposal would change. It says nothing about VPNs or TOR networks. It does not give the FBI (or any other law enforcement agency) the authority to hack your computer or your phone whenever they want. It doesn't even grant them the authority to do that with a warrant, because they already have the ability to do that with a warrant. It also doesn't say anything about how much evidence they have to present to get the warrant, because Rule 41(b) has nothing to do with that. The standards for search warrants are exactly the same as they have been for years; this proposal would only clarify who the right judge is to issue the warrant.

    I don't know a whole heck of a lot about the "FEE" is, but if this article is representative of their work and/or legal abilities then color me unimpressed.

    --
    Tuck
    Tuck's Journal.
  20. Treason is one reason for the existence of 2nd by mpercy · · Score: 5, Interesting

    Ever heard of that treasonous document that starts out "When in the Course of human events it becomes necessary for one people to dissolve the political bands which have connected them with another and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature's God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation."?

    It goes on to say: "Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn that mankind are more disposed to suffer, while evils are sufferable than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security."

    The signers of the Declaration of Independence and the people who fought for the Colonies independence were committing treason.

    Indeed, the 2nd Amendment self-state purpose is to allow the citizens to preserve their freedom from a despotic federal government that was being formed by the same document. Rather, the government being formed could become despotic and need to be thrown off, and the the 2nd provides the basis for that.

    This is pretty clear from various Founder's explanations, e.g. Alexander Hamliton "[I]f circumstances should at any time oblige the government to form an army of any magnitude[, ] that army can never be formidable to the liberties of the people while there is a large body of citizens, little, if at all, inferior to them in discipline and the use of arms, who stand ready to defend their own rights and those of their fellow-citizens."

    The Framers had *just* completed an armed (and treasonous) insurrection of their own, and were keenly aware of the fact that any government they might form could (and probably would) become despotic. The 2nd at least put a floor under the people's ability to fight back against that potential.

  21. What is actually happening by Etherwalk · · Score: 4, Informative

    I wouldn't be surprised if people put up honeypots on Tor just to mess with 'em, and log all of the output over serial or something so that even if they get in, they can't purge the logs of their attempts.

    Search warrants are still subject to constitutional requirements of reason and due process; this is a procedural rule independent of that.

    It will allow a judge to issue the warrant even if the FBI or police are not sure what judicial district it's happening in. It's important to let a magistrate judge approve a warrant on that basis, because the current rule 41(b) does not provide for it except in terrorism cases. So if you have someone selling hard drugs online, for example, but the government can't tell whether they are located inside the United States or not, this provides a way for them to get a warrant to search.

    See the proposed rule (from last November) on page 111 of http://www.uscourts.gov/uscour...

    The old one is here: http://www.law.cornell.edu/rul...

  22. You do not have to latch if you are innocent by paiute · · Score: 3, Insightful

    My Lord, I request permission to knock in any door in Boston which my men find latched.

    --
    If Slashdot were chemistry it would look like this:Cadaverine
  23. Disaster Recovery! by Mariner28 · · Score: 4, Funny

    Now that the FBI is handling my corporate penetration testing for me, how to I contact the NSA to arrange for online backup/restoral and disaster recovery? What better use of federal corporate taxes! ;-)

    --
    "A little misunderstanding? Galileo and the Pope had a little misunderstanding."