So The FBI Can Just Take A Copy Of All Instapaper User Data With No Recourse?

from the that-doesn't-seem-right dept

We recently wrote about the FBI's server seizures in the hunt for LulzSec, noting the collateral damage that took down servers of a few different popular websites. One of the seized servers was a backup server for the very popular service Instapaper, which many people use to save web pages and other info. While Instapaper's Marco Arment notes that the FBI did return the server relatively quickly, it's possible that the FBI now has a copy of pretty much everyone's Instapaper data, which could reveal a lot about some people.
Possibly most importantly, though, the FBI is now presumably in possession of a complete copy of the Instapaper database as it stood on Tuesday morning, including the complete list of users and any non-deleted bookmarks. (“Archived” bookmarks are not deleted. “Deleted” bookmarks are hard-deleted out of the database immediately.)

Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe. But email addresses are stored in the clear, as is the saved content of each bookmark saved by the bookmarklet.

The server also contained a complete copy of the Instapaper website codebase, but not the codebase of the iOS app.

Linked Facebook, Twitter, or Tumblr accounts only store their respective OAuth keys. Linked Evernote accounts only store the Evernote email-in address. Linked Pinboard accounts, however, store plaintext usernames and encrypted passwords, and the encryption keys are present in the website source code on the server.

So the FBI now has illegal possession of nearly all of Instapaper’s data and a moderate portion of its codebase, and as far as I know, this is completely out of my control.
Marco is quite reasonably pissed off at the hosting company, DigitalOne, who never contacted him about this (before or after the raid, including up until the blog post, days later). Frankly, that's unconscionable. For an ISP to simply not tell their customer that a server has been seized? Marco is also upset that DigitalOne didn't do anything to stop the seizure. Now, on both of those accounts, it's possible that DigitalOne's hands were tied. There's not much they can realistically do if the FBI shows up with a seizure warrant, even if it's super broad. And we have seen the FBI use gag orders barring ISPs from talking about what was seized.

But, really, that just goes to show, yet again, the problems of such government seizures with no prior adversarial hearings. I recognize that they're looking for evidence that might disappear, but the chance for serious collateral damage, including potentially serious privacy violations, seems pretty high. I'm not sure there's anything he could do, but it certainly would make for an interesting lawsuit if either Marco or an Instapaper customer decided to sue the federal government over these seizures.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: datacenter, fbi, privacy, seizures
Companies: instapaper


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    ChurchHatesTucker (profile), 24 Jun 2011 @ 6:53pm

    Frak that!

    And we have seen the FBI use gag orders barring ISPs from talking about what was seized.

    Ignore it.

    Gorram it, we have to start exercising free speech if we expect to keep it.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Jun 2011 @ 8:41pm

      Re: Frak that!

      Check your window. There's a van parked outside. Offer the two guys with headphones coffee.

      link to this | view in chronology ]

  • identicon
    out_of_the_blue, 24 Jun 2011 @ 6:57pm

    So don't use online storage!

    Would never occur to me, as I came out of the dark days when the Personal Computer freed us from time-sharing on a centralized computer. Now everyone is hot to let a central system (euphemized as "the cloud") store all their vital and personal data -- FREE for the plucking by anyone, too. Drawbacks are obvious and particular gotchas seem to be discovered almost daily; I see no /point/ let alone advantages to it.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jun 2011 @ 6:58pm

    Encrypt Your Data People

    It's kinda sad about the fourth amendment. You have to assume that any data of yours, stored at any place not under your direct control, could fall into the hands of any security service, any law enforcement organization or any criminal, at any time. Your only defense is to use strong encryption at all times. Do not purchase any service which does not give you strong encryption as standard, with the key under your control.

    Key security and management is your problem, which you need to solve locally. If you use the world's least secure operating system, namely Windows, on any server or your management console, it is game over, you lose. Be careful. The only person looking after your interests is you. Never forget that.

    link to this | view in chronology ]

  • icon
    mrdarkrai (profile), 24 Jun 2011 @ 7:52pm

    Tell me

    what is the difference between this action and lulsec's?

    link to this | view in chronology ]

    • identicon
      teka, 24 Jun 2011 @ 7:58pm

      Re: Tell me

      The FBI used guns and "laws" (the threat of both immediate and delayed violence).

      Lulsec used the security failings of others.

      link to this | view in chronology ]

    • icon
      velox (profile), 25 Jun 2011 @ 10:52am

      Re: Tell me

      LulzSec didn't physically remove property belonging to an innocent party

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jun 2011 @ 8:59pm

    Mike, you need to be talking with Alex Jones. Half your articles are highly related to the police state and Nazi government control. How come no one reacts to such blatant disregard for the law? Oh right.. because they make up laws as they go. Land of the free, huh? More like land of the pwned.

    link to this | view in chronology ]

  • icon
    molecule (profile), 24 Jun 2011 @ 9:01pm

    So The FBI Can Just Take A Copy Of All Instapaper User Data With No Recourse?

    I'll go w/: Yes?

    what did I win? hey, where are you going w/ my server?

    link to this | view in chronology ]

  • identicon
    Peter, 24 Jun 2011 @ 9:33pm

    Re: Tell me

    "what is the difference between this action and lulsec's?"

    I guess there isn't much difference between the two. The FBI is no better than Lulz Security. That's the moral of this story.

    link to this | view in chronology ]

  • identicon
    Tim, 24 Jun 2011 @ 10:27pm

    Lulz

    The difference is Lulzsec is committing a federal crime each time they DDOS someone.

    And if you are going to blame anyone, blame Lulzsec for this. And you can mark my words, things will just get far worse, all thanks to "Lulzsec". We are going to lose most rights that we have now.

    link to this | view in chronology ]

    • icon
      The eejit (profile), 25 Jun 2011 @ 12:05am

      Re: Lulz

      Wow, all other Time must be ashamed of themselves.

      There is this funny little thing called the Second Amendment. I strongly advise you to use it before you lose it.

      link to this | view in chronology ]

    • icon
      Jeni (profile), 25 Jun 2011 @ 4:20am

      Re: Lulz

      You can't blame LulzSec for the actions of the over reaching FBI. Stop being ridiculous.

      link to this | view in chronology ]

    • identicon
      Bengie, 26 Jun 2011 @ 10:46am

      Re: Lulz

      The the FBI is committing treason.. your point?

      link to this | view in chronology ]

  • identicon
    Nicedoggy, 24 Jun 2011 @ 10:59pm

    About encryption, I want to note that current encryption algorithms probably will last 10 to 20 years before they can be easily brute forced, so encryption only buys time in the case of static storage.

    link to this | view in chronology ]

    • icon
      freak (profile), 25 Jun 2011 @ 5:12am

      Re:

      HAHAHAHA.

      haha.

      ha.


      Current encryption technology would require the entire universe acting as a computer with each atom as a transistor, for the entirety of time so far to crack only (on average) 10,000 256-bit encryptions.
      I haven't done that calc in a while, (it's somewhere in the comments on a past story here), but I believe that calc also assumed the universe was solidly packed instead of mostly 'empty'. If that's the case, then the real calc would be somewhere closer to 10^-18 256-bit encryptions could've been broken.


      Anyways, I don't think you mean 'brute-force', but I will allow the possibility that current algorithms might possibly be cracked in twenty years. I doubt it, but I won't deny the possibility.

      link to this | view in chronology ]

        • icon
          leichter (profile), 25 Jun 2011 @ 7:13am

          Re: Re: Re:

          A meaningless comparison. Key length is one of those obvious things - after all, it's just a number and bigger is clearly better, right? - that leads people astray all the time. The thing to keep in mind is that what matters is not the *number of bits in the key*, it's the number of possible distinct keys. If I told you "I use AES-256 for absolute security, but it's easy for me to remember the key: I only choose keys between 1 and 1000" - well, that's obviously not very secure: You can guess my key in at most 1000 tries!

          For a system like AES, every possible 128 (or 192 or 256) bit combination is a valid key. The strength of the system (against a brute force attack!) can be read directly off the number of bits. No conceivable computer will ever be able to attack a 256-bit key, and personally I cannot imagine a situation where a 128-bit key could be brute-forced.

          For a system like RSA, only very special combinations of bits correspond to valid keys. An AES key is just a bunch of bits, while an RSA key, as a number, has to be product of exactly two prime numbers in a particular range, with special properties to boot. Even then, there would be too many values to try in a pure brute force fashion- but because of the necessary mathematical properties of an RSA key, no one does that. Instead, they use more efficient techniques that rely on those mathematical properties. A 1024 bit RSA key requires about as much computational effort as an 80-bit AES-like key. That's why the current recommendation is for at least 2048 bits (roughly the equivalent of 112 AES-like bits), though that's considered pushing it a bit. To get to the equivalent of a 128-bit AES key, you need a 3072-bit RSA key; to match AES-256, you need a 15360-bit RSA key! Such keys actually get used today. In 2005, if you combine published estimates, experts were predicting that 1024-bit RSA should be phased out by 2010 (though high-value uses should move faster). OK, so half way through that period, *one* 1024-bit RSA key was broken ... though in fact even that isn't true. (Breaking an RSA key amounts to factoring a large number into its two constituent primes. What the link points to was a successful factorization of a very specially chosen number - 2^1039-1 - for which even better mathematical techniques are known. Even so, it took the equivalent of 100 years of computer time. An indication that it was time to move on from 1024-bit keys? Absolutely. A practical "break" for massive numbers of RSA keys? Not quite.

          An alternative to RSA is elliptic curve crypto (ECC), which has the same public-key properties but can use many more possible combinations of bits in a key, so can get by with dramatically shorter keys. In fact, to get the ECC equivalent of n-bit AES, you need 2n-bit ECC.



                                                                  -- Jerry

          link to this | view in chronology ]

          • identicon
            Nicedoggy, 25 Jun 2011 @ 4:33pm

            Re: Re: Re: Re:

            There is another post that didn't made it through the filter were I apologized for the use of "brute-force" to describe how people could undo the encryption.

            Still in the 90's I believe the most used encryption was still DES not AES.

            If you get something with a DES or RSA one probably can decode it.
            http://www.sciengines.com/copacobana/

            Also even AES have some shortcomings like if people use passwords that are less than 32 characters in length rainbow tables could make it easy to find the correct one, in that case you are attacking the encryption by its sides and who knows how it was implemented there could be problems in the implementation even if the theory is flawless like the Debian/Ubuntu OpenSSL Random Number Generator Vulnerability

            Now I read somewhere that even the government is considering use of ECC because they don't see AES being secure for long, but that is from memory and I could be wrong.

            link to this | view in chronology ]

          • identicon
            Nicedoggy, 25 Jun 2011 @ 4:55pm

            Re: Re: Re: Re:

            I also want to note that DES at one time was considered flawless and unbreakable until people found weakness in it.

            Can anyone here guarantee that AES and ECC will endure the test of time?

            Wikipedia also explain the problems in their page about brute-force.

            http://en.wikipedia.org/wiki/Brute-force_attack

            link to this | view in chronology ]

      • identicon
        Nicedoggy, 25 Jun 2011 @ 5:36am

        Re: Re:

        Hmmm...you got me there on the brute-force thing though, it is infeasible at the moment for current computers to do it, so you are correct, what I was thinking about was all those mathematical ways people could use to crack the encryption, my apologies.

        link to this | view in chronology ]

      • icon
        Almost Anonymous (profile), 25 Jun 2011 @ 10:01am

        Re: Re:

        Quantum technology will reduce those times by orders of magnitude, and quantum computers are just around the corner...

        link to this | view in chronology ]

        • icon
          Josh in CharlotteNC (profile), 27 Jun 2011 @ 11:52am

          Re: Re: Re:

          I predict that workable quantum computers that can perform orders of magnitude faster than standard computers will be "10 years away" once we have workable fusion power generators that supply significant power to the world.

          link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jun 2011 @ 11:02pm

    Does anyone have proof that the FBI copied all of the data? Does anyone know what was named as part of the warrant? Did that hacker dude in the UK admit to using instapaper to share ideas with others?

    There is an incredibly lack of information here for anyone to be making claims against the FBI.

    link to this | view in chronology ]

    • identicon
      Nicedoggy, 24 Jun 2011 @ 11:06pm

      Re:

      What part of "it's possible" or "potentially serious" you don't understand son?

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 24 Jun 2011 @ 11:44pm

        Re: Re:

        It's possible. It's also possible that monkeys will fly out of your butt. But since it isn't likely, you don't worry about it much. It is equally unlikely that the FBI copied content from servers that they don't have a warrant for, once they have determined what the server is and what it is used for.

        That of course would also depend if instapaper was used for less than honest purposes. At that point, yes, the FBI might have a copy of it all pending investigation by their experts.

        link to this | view in chronology ]

        • identicon
          Nicedoggy, 25 Jun 2011 @ 12:01am

          Re: Re: Re:

          When did you see law enforcement passing on the opportunity to snoop on others?

          When?

          Is not only likely, but most certainly the agents copied everything before giving it back, even if it was to take a look at the contents later to find something they could use as leverage if those people sue.

          What is unlikely is that they didn't copy it.

          Now I ask you again, what part of "It's possible" you don't understand?

          The post didn't accused the FBI of anything, but it was concerned about those possible and most probable scenarios and why there is no means to address those issues.

          link to this | view in chronology ]

        • identicon
          Anonymous Coward, 25 Jun 2011 @ 6:39am

          Re: Re: Re:

          No, that's not possible (nor probable). At most you will only get one monkey out of my butt. My abdomen and intestinal track are only so big, I'll allow that a single monkey "might" be squeezed in there, but not multiple. Unless of course, you're positing that an heretofore unknown species of pygmy monkeys is living up there. However,I believe(and I could be wrong) that you're stretching the definition of the word possible at this point.

          But thanks for playing...

          link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Jun 2011 @ 6:40am

        Re: Re:

        "So The FBI Can Just Take A Copy Of All Instapaper User Data With No Recourse?"

        Where in this title does it say "its possible"?

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Jun 2011 @ 6:35am

      Re:

      "There is an incredibly lack of information here for anyone to be making claims against the FBI."

      That doesnt matter to the "followers of Mike". You are supposed to just say Moo and follow the herd.

      Like this: My rights are at stake here. The government is trying to do away with the constitution. We need more transparancy. The law enforcers shouldnt be allowed to do anything without getting permission from the supreme court first.

      link to this | view in chronology ]

      • icon
        velox (profile), 25 Jun 2011 @ 11:33am

        Re: Re:

        '..."followers of Mike". You are supposed to just say Moo and follow the herd. '

        You apparently, and quite foolishly, appear to believe that Mike simply tells his readers what to think.
        --->You don't happen to work in the old-media Broadcast business do you?

        There are many people who have opinions similar to Mike, and they choose to express themselves in the comment sections here. In case you haven't noticed, they also express themselves in the comment sections of many major newspapers around the country. Mike's ideas are not rare or unusual. Unfortunately editors around the country don't seem to be paying much attention.
        Everywhere I go, I hear people of all economic positions are talking about the government's assault on civil liberties. The political parties had better watch out because this isn't a liberal thing, and it's not a conservative thing, it's a fed-up American thing. It's high time that both Repubs. and Dems. stopped telling us that meekly surrendering our liberty is the Patriotic thing to do.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 25 Jun 2011 @ 1:26pm

          Re: Re: Re:

          You said: "You apparently, and quite foolishly, appear to believe that Mike simply tells his readers what to think"

          Me: You don't think so? Re-read the site with an unbiased eye, and you will see plenty of attemptd to tell people what to think. Many of the posts in the last couple of weeks have involved trying to re-frame discussions, but trying to significantly expand defintions, to ignore basic court rulings, and generally to try to paint a picture that isn't entirely realistic.

          Much of it is done by parroting anti-copyright sites like Torrent Freak, which has some truly biased "reporting" on their site.

          The rest is typically done by mocking reports that he doesn't agree with, or carefully playing with quotes and reports to draw conclusions that are just not clearly supported by the data, or that have other way more plausible answers.

          There are many people with a similar opinion as Mike. They ignore the laws unless they favour their cause, they always say "the judge got it right" when they block some action, and "the *AA's paid off another judge" when the results aren't in their favor.

          It's fun to watch them go, fun to watch them post comments here. It's even funnier when you find one or two of them actually working in the mass media, and making their living from companies that use and apply copyright to their work.

          link to this | view in chronology ]

          • identicon
            JMT, 25 Jun 2011 @ 2:40pm

            Re: Re: Re: Re:

            Of course if you were a blogger instead of an anonymous coward, your blog would be completely unbiased, state only facts but no opinions, never use any other websites for source info, not allow any dissenting comments, and not make any speculations based on previous experience. And it would be such a thrilling read...

            link to this | view in chronology ]

            • identicon
              darryl, 26 Jun 2011 @ 1:21am

              Re: Re: Re: Re: Re:

              So it is ok for mike to be biased because he is a 'blogger', good one LOL...

              link to this | view in chronology ]

              • identicon
                JMT, 26 Jun 2011 @ 2:07pm

                Re: Re: Re: Re: Re: Re:

                Of course it is, this is an opinion blog. Where on earth does it say he can't be biased?

                link to this | view in chronology ]

          • icon
            velox (profile), 25 Jun 2011 @ 2:42pm

            Re: Re: Re: Re:

            ... parroting anti-copyright sites like Torrent Freak...
            I wouldn't know if you are correct about this or not. I've never read Torrent Freak in my life.

            I happen to think it more interesting (and alarming) to watch the media apologists here blithely promote any new proposal which makes copyright more onerous and rigid regardless of what the consequences are for civil liberties in this country.

            Constitution...schmonstitution seems to be the attitude.
            The perfect case in point is Mr. Dark Gray Snowflake above in this thread.

            If you happen to know anything about the circumstances which brought our country into existence, and if you know anything about the circumstances through which other countries who have had freedom lost theirs, you just can't help but be concerned by the 'damn the consequences' attitudes displayed by media company defenders here. The restrictions of freedom that are being proposed may have consequences that could extend far beyond the sphere of the media in years to come. Remember the proposals being made aren't just theoretical. They involve laws and establish precedents that would give government the legal right to do things which it has never had either the right nor the technical capability to do in the past.

            link to this | view in chronology ]

          • identicon
            Albert, 25 Jun 2011 @ 8:10pm

            Re: Re: Re: Re:

            You really should try including some links to support your arguments.

            link to this | view in chronology ]

          • identicon
            darryl, 25 Jun 2011 @ 11:11pm

            Re: Re: Re: Re:

            we'll said sir, but it wont change a thing for Mike, he is quiet happy stuck in his own little rut, with his merry band of die hard followers/worshipers.

            Typical is their TAM comments "The Anti-Mike" which has to mean they to consider Mike to be some form of God or dieaty for there to be possible an "anti-Mike".

            Sure if Mike is your Christ, and you feel that people who do not follow the church of Mike would be considered TAM (THE ANTI-MIKE) or the Anti-Christ.

            I am glad all your Mike followers have such faith in this surmons, and preaching at you.

            link to this | view in chronology ]

            • icon
              Niall (profile), 27 Jun 2011 @ 4:15am

              Re: Re: Re: Re: Re:

              Ok, daft darryl logic #235358979.

              'Anti' simply means 'against'. Yes there is a construction "anti-Christ" meaning "opposed to Christ". However, using "Anti-Mike" to mean "against Mike" (on everything and everything, without logic) does not somehow mean we are expanding Mike to god-like proportions. No-one here feels any need to deify Mike - if anything, it's the trolls who seem to feel the need to turn him into a baddie of Satanic proportions!

              Honestly darryl, try and stay in the shade more ;)

              link to this | view in chronology ]

            • icon
              Marcus Carab (profile), 27 Jun 2011 @ 7:05am

              Re: Re: Re: Re: Re:

              Uh, newsflash darryl - we call TAM "The Anti-Mike" because HE created an account called that about a year ago. He even used a colour-inverted photo of Mike for his avatar.

              I think he's the one with religious delusions, not us.

              link to this | view in chronology ]

    • icon
      techflaws.org (profile), 25 Jun 2011 @ 10:13pm

      Re:

      There is an incredibly lack of information here for anyone to be making claims against the FBI.

      Apart from all their previous such behaviour in the past, you mean?

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jun 2011 @ 4:17pm

      Re:

      Does anyone have proof that the FBI did not copy all of the data on the seized server?

      I am sure that they made a full forensic clone of the hard drives on that server and are going through that data right now.

      link to this | view in chronology ]

  • identicon
    Nicedoggy, 24 Jun 2011 @ 11:04pm

    About encryption, I want to note that current encryption algorithms probably will last 10 to 20 years before they can be easily brute forced, so encryption only buys time in the case of static storage, so please don't store criminal activity in files that could be open 20 years later and have no statute of limitations :)

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Jun 2011 @ 11:57pm

      Re: Encryption

      Encryption actually does not have to be very good and it defeats the security services. Get yourself an encryption key which is several thousand bits long and truly random, then the dear old XOR the plaintext with the key, over and over, will work just fine. Back that up with prior data compression and a spot of running it through AES and the codebreakers are SOL. They could be up for $trillions to have any hope of brute forcing it. Not going to happen.

      Remember how hissy various pollies got about not being able to read Blackberry messages? Have you noticed the slow progress on cleaning up botnets? The botmasters are protecting themselves with encryption. It's working just fine for those guys, and they have plenty of very determined opposition.

      link to this | view in chronology ]

      • identicon
        Nicedoggy, 25 Jun 2011 @ 12:11am

        Re: Re: Encryption

        Have you a text encrypted in 1990?
        I bet any computer today can brute force that baby in seconds.

        Since computers double processing power every year or so, even those thousand bit long encryption keys will not be that secure in 20 years.

        Not to mention unknown vulnerabilities that could be uncovered in the future.

        So unless you have encrypted content that can re-encrypt itself every year with the latest encryption and patch itself against vulnerabilities or use some type of death algorithim that depends on pieces from others places that go away with time rendering completely useless sooner or later people will be able to open that file.

        I like to think of static encrypted files as time-capsules.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 25 Jun 2011 @ 10:36am

          Re: Re: Re: Encryption

          im pretty sure public key cryptography has not changed that much since the 90's... as I recall, the pgp cypher that Assange wrote is still damn near impossible to crack... 20 years later.

          can someone correct me if this is wrong?

          link to this | view in chronology ]

          • icon
            Griff (profile), 25 Jun 2011 @ 3:13pm

            Re: Re: Re: Re: Encryption

            Wasn't that Phil Zimmerman ?
            What part did Assange play, I can find no references for that.

            link to this | view in chronology ]

          • identicon
            Nicedoggy, 25 Jun 2011 @ 3:58pm

            Re: Re: Re: Re: Encryption

            As freak on, Jun 25th, 2011 @ 5:12am, brute-force in the traditional sense will be impossible, but that encryption can be broken today by other means as pointed out in this article from 2007:
            http://arstechnica.com/old/content/2007/05/researchers-307-digit-key-crack-endangers-1024-bit -rsa.ar s

            As to the changes in how they were cryptographed you are correct it didn't change that much, some bugs were found that I read about it and people started using longer keys, in the 90 the best people were commonly using I believe was 124 bit encryption, today we can have supercomputers in our homes that can achieve the necessary raw power to factor those numbers so I don't believe they are secure anymore, if people are really interested they would be able to open the file, also most people don't use really secure passwords so rainbow tables are an option that can open a file in minutes given a large enough table.

            link to this | view in chronology ]

  • identicon
    Caliburn, 24 Jun 2011 @ 11:08pm

    I'd sue.

    I'd happily take the stress of it and sue the FBI into the dark ages. By the time I was finished with them, they'd stop this crap.

    SUE THE FUCKERS! SET A PRECEDENT!

    link to this | view in chronology ]

    • icon
      Jay (profile), 25 Jun 2011 @ 12:12am

      Re: I'd sue.

      There's actually already a precedent. It's just that people see the NSL letter and forget to sue the FBI on reaching so far.

      link to this | view in chronology ]

    • icon
      Jeni (profile), 25 Jun 2011 @ 4:25am

      Re: I'd sue.

      What I was thinking (minus the F bomb).

      Edmund Burke said "all that is necessary for the triumph of evil is that good men do nothing".

      link to this | view in chronology ]

  • icon
    Viln (profile), 25 Jun 2011 @ 12:02am

    I'm with Marco...

    I'm rather shocked that the on-site technicians at this data-center allowed the FBI to take a dozen boxes when the warrant clearly stated (presumably) one or two. I don't mean attempting to physically prevent them or civil disobedience... it's unthinkable that the FBI would send a team of officers to seize servers and not include at least one technician with the ability to determine which ones were which, so when a company very strongly protests you touching things not mentioned in your warrant and offers every means of assistance in locating and extracting the correct items and you ignore it and take the rack anyway... you create wiggle room for a lawsuit where otherwise no judge in today's Patriot Opera world would bother to squeeze. The companies involved in hosting and storing these servers were put in a tough situation and I sympathize, but it smells like somebody rolled way too easily and these companies deserve an exodus of subscribers. If enough of a stink is made now, the next time you can be sure someone along the chain of command will say "be precise, don't make me deal with another two weeks of internet and press frenzy".

    link to this | view in chronology ]

  • identicon
    A Guy, 25 Jun 2011 @ 12:07am

    I would hope that the FBI did not copy a server they have no warrant for. On the other hand, the company shouldn't be in a position that they have to take the FBI's word for it. Take them to court. Make them swear under oath that no copy of the server was made. It may take time, but it shouldn't be too hard to find the truth out in a relatively cheap way if the company is concerned. If they want to get it out of the way quickly and cheaply, your data is probably safe. If they cite "ongoing investigations" or "national security" in court filings, your data is now in the possession of the FBI and they are probably already analyzing it.

    link to this | view in chronology ]

    • identicon
      darryl, 25 Jun 2011 @ 7:05pm

      Re: But mike says you cannot 'steal' data, and that copying it is ok, because you dont take away from the original.

      I would hope that the FBI did not copy a server they have no warrant for.

      NO they would not have done that (copy a server) they would have simply taken a complete image of the entire contents of the hard drives. No biggie, they get their server back.

      and according to Mike, you cannot 'steal' data, therefore FBI did NOTHING that Mike should be able to disagree with,,,, Right Mike ???

      link to this | view in chronology ]

      • icon
        techflaws.org (profile), 25 Jun 2011 @ 10:17pm

        Re: Re: But mike says you cannot 'steal' data, and that copying it is ok, because you dont take away from the original.

        Dumb Daryl is dumb.

        link to this | view in chronology ]

      • icon
        Jeni (profile), 26 Jun 2011 @ 4:57am

        Re: Re: But mike says you cannot 'steal' data, and that copying it is ok, because you dont take away from the original.

        You have GOT to be kidding.

        This is people's personal data we're talking about, not a movie or song that's out there for the purpose of public viewing/listening.

        link to this | view in chronology ]

      • icon
        Niall (profile), 27 Jun 2011 @ 4:45am

        Re: Re: But mike says you cannot 'steal' data, and that copying it is ok, because you dont take away from the original.

        Well, technically it wasn't 'stolent' - but it was quit possibly illegally accessed - i.e. 'hacked' ;) Not to mention the copyright issues...

        ... shouldn't ICE be taking down the FBI website in 3...2...1...? ;)

        link to this | view in chronology ]

  • identicon
    ScytheNoire, 25 Jun 2011 @ 12:42am

    Welcome to Corporatocracy

    The Constitution only applies when it protects Corporations or the American Government (which is a corporation itself).

    link to this | view in chronology ]

    • identicon
      darryl, 25 Jun 2011 @ 7:08pm

      Re: Welcome to Corporatocracy

      considering the constitution was written by some of the biggest industry and corporate leaders in the US at the time, you expect anything less ?

      link to this | view in chronology ]

  • identicon
    darryl, 25 Jun 2011 @ 1:05am

    SHA-1 (salted) hashes - Trivial to crack with GP/GPU (Graphics processors)

    "Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe."

    Yes, 'relatively safe' means at least 10 seconds or less to crack. Probably sub 1 second....

    Post 1002 on TD..

    link to this | view in chronology ]

  • identicon
    darryl, 25 Jun 2011 @ 1:10am

    Bye Bye Cloud Computing

    Once again, it failed in the 50's it will fail again in 2011.

    link to this | view in chronology ]

    • icon
      Gwiz (profile), 27 Jun 2011 @ 8:19am

      Re: Bye Bye Cloud Computing

      Bye Bye Cloud Computing

      Once again, it failed in the 50's it will fail again in 2011.


      Lolwut?

      My guess is that a stab at "cloud computing" in the 50's would have failed mainly because there were only about 6 "computers" at the time and they filled warehouse sized rooms with their vacuum tubes. Just sayin'.

      link to this | view in chronology ]

  • identicon
    darryl, 25 Jun 2011 @ 1:16am

    Answer to your question --- easy...

    So The FBI Can Just Take A Copy Of All Instapaper User Data With No Recourse?

    Judging by the rest of the comments you made after that question, and by you posing that question in the first place.

    I feel you are seeking an answer for something you lack understanding in, so for you I will make it simple.


    apparently


    capable of being easily perceived or understood; plain or clear; obvious:

    link to this | view in chronology ]

  • identicon
    Martin, 25 Jun 2011 @ 2:18am

    Lessons learnt?

    Has Marco Arment learnt any leasons?

    SHA-1? No encryption of user data? Come on!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Jun 2011 @ 3:28am

    link to this | view in chronology ]

  • identicon
    darryl, 25 Jun 2011 @ 4:47am

    its as simple as "good" and "evil" !!!! LOL

    Darryl Says

    "all that is necessary for good to triumph is that evil men do nothing"

    (or "a good man doing nothing in the face of evil, is evil, and therefore no longer Good").

    link to this | view in chronology ]

    • icon
      Jeni (profile), 25 Jun 2011 @ 5:06am

      Re: its as simple as "good" and "evil" !!!! LOL

      That makes no sense, Darryl.

      link to this | view in chronology ]

      • identicon
        darryl, 25 Jun 2011 @ 6:52pm

        Re: Re: its as simple as "good" and "evil" !!!! LOL

        no, it maks no sense TOO YOU !!!

        there is a difference.

        link to this | view in chronology ]

      • identicon
        darryl, 25 Jun 2011 @ 6:58pm

        Re: Re: its as simple as "good" and "evil" !!!! LOL

        I will try to make it clearer for you :)

        say a "good man" is walking on the street, and he sees a crime being committed against someone.

        if that good man "does nothing" he is allowing evil to trimph.

        A good man doing nothing in the face of evil is therefore not a good man, but is in fact evil.

        So then a "good man" would NEVER DO NOTHING in the face of evil!

        So to say 'for evil to prevail good men do nothing' is incorrect. because the act of 'doing nothing' means in this situation they are in fact NOT 'good men' and if the choice is either Good or evil. and they are no 'good' therefore they must be evil.


        once again, that is fine, but please if it does not make sense to you, state it does not make sense to you.

        But it certainly does make sense to at least some people.

        link to this | view in chronology ]

        • icon
          Jeni (profile), 26 Jun 2011 @ 4:55am

          Re: Re: Re: its as simple as "good" and "evil" !!!! LOL

          But darryl, the inherent nature of a good person means they could not stand by and allow someone to be harmed, or not help someone they see in need, etc. if there was anything within their power they could do to help. Their conscious would not allow them to simple "do nothing".

          I guess true goodness is even more rare than I thought, if that's too much for people to grasp.

          link to this | view in chronology ]

        • icon
          Niall (profile), 27 Jun 2011 @ 4:48am

          Re: Re: Re: its as simple as "good" and "evil" !!!! LOL

          That bit made sense, but your reframing of the original quote didn't. I don't think 'good' happenings simply the lack of 'evil' acting. "All cats are grey in the dark" does not mean "All things that are grey in the dark are cats". Basic logical fallacy.

          link to this | view in chronology ]

  • icon
    The Devil's Coachman (profile), 25 Jun 2011 @ 5:04am

    I guarantee the FBI copied every last bit on everything.

    Not only that, but they will undoubtedly use the copied data to expand their scope of investigation far beyond what the original warrant permitted (if there actually was a valid warrant at all). This is the type of "collateral damage" that we can expect from their nefarious activities, and what's more, they probably won't find anything about their purported perp - Lulzsec.

    This is what they do, and with impunity. The ISP is at fault for failure to notify its clients, and the use of "gag orders" and other such nonsense is something one would expect in a fascist, totalitarian state. Sorry folks, but the US populace is screwed, totally, and forever. Your government thanks you, and expects your continued "cooperation". Now bend over, and "cooperate"!

    link to this | view in chronology ]

  • identicon
    Michael Lockyear, 25 Jun 2011 @ 6:31am

    The FBI will no doubt go unpunished for what is in essence theft.

    Ironically it is this sort of unpunished behavior that gave rise to groups like wikileaks, anonymous, lulsec in the first place.

    link to this | view in chronology ]

  • icon
    Gene Cavanaugh (profile), 25 Jun 2011 @ 9:52am

    FBI seizures

    I am a veteran, and I was quite willing to give my life for my country, which I admired deeply.
    However, this sounds more like the gestapo under Hitler than American. I am not sure I would be willing to serve, and certainly not willing to "give up my life", for a country that allows such things.
    I can only hope the American people (with the help of the blogs - certainly no help from the news media!) will someday come to their senses, and take steps to stop this sort of thing.

    link to this | view in chronology ]

  • icon
    Thomas (profile), 25 Jun 2011 @ 10:09am

    The FBI will..

    definitely look at their copy of the database to search for "terrorists", but will probably just go ahead and see what they can find. I'm sure they won't have a problem breaking the encryption. The spooks don't really pay attention to constitutional protection any more; they now feel that "hunting for terrorists" justifies anything they want to do. Maybe we should just refer to all the federal spooks as the American Gestapo.

    link to this | view in chronology ]

    • identicon
      darryl, 26 Jun 2011 @ 1:37am

      Re: The FBI will..

      and u think terrosists use the word "terrorists" so much that a simple word search for that word would root out all known terrorists ?

      or that no other person or group would ever use that word ?

      Oh no, I just did, so am I a terrorist now ?

      link to this | view in chronology ]

      • icon
        Niall (profile), 27 Jun 2011 @ 6:24am

        Re: Re: The FBI will..

        He said 'hunting for (information on) "terrorists"', not 'hunting for the *word* "terrorists"'!

        Do you EVER have anything positive to say about any non-troll/shill posts?
        Do you even *read* other people's posts?

        link to this | view in chronology ]

  • identicon
    Urza9814, 25 Jun 2011 @ 2:10pm

    Sue 'em.

    I hate to say this, but if the FBI does in fact have this data, maybe they should learn from the MAFIAA. Sue the FBI for copyright infringement. They had no warrant or right to copy or even possess that data.

    link to this | view in chronology ]

  • identicon
    Wolfy, 25 Jun 2011 @ 2:51pm

    I wonder if anyone is providing a hosting solution where if someone tries to seize a server, a relay could be tripped (say, by the receptionist) turning a huge electromagnet built around the hard drives, wiping them where they sit. The selling point being you may lose your data, but no-one else is, by damn, going to get it.

    link to this | view in chronology ]

  • identicon
    darryl, 25 Jun 2011 @ 9:07pm

    They have your hashes, they have your password and all your data.

    link to this | view in chronology ]

    • identicon
      Nicedoggy, 26 Jun 2011 @ 1:36am

      Re: They have your hashes, they have your password and all your data.

      Quote:
      Is an IT manager really going to manage to get the CFO to log in using “fR4; $sYu 29 @QwmQz” without the combination ending up on a Post-it note in his wallet?


      I have been thinking about that for a while and the best way to keep it secure and non-static that I could think of was Paper Keys.

      One could get new encryption keys to everyone just by printing them and distributing those or uploading to their trusted cellphones(not recommended though) or a dedicated device that is designed to hold the keys.

      One can print those in stickers that can be put on keychain, the thing is that it requires the machine to have a camera.

      RFID could be used for the same purpose but they leak through the walls and can be grabbed on the streets.

      Now using paper-keys along with a password that would be a 2 layer protection instead of the one we have today, any attacker would have to have the password and the digital key that can be updated several times per week or day, and if people get really paranoid they could use another layer maybe biometrics, but for casual users you could create really big passwords and store them in 2D barcodes like QR-Code and use those to sign in to services, the advantage is that the size of the password and its composition will no longer mater, the bad is that if you loose that piece of paper you are screwed.

      Password change can be automated and probably would reduce the number of weak passwords on a real environment.

      Maybe people should start making e-ink keychains like USB thumbdrives on one end you have your USB connection that goes on the computer and gets uploaded with the keys and in the other end when you push the button it pops out a little e-ink tongue that displays the key with the name of the key so people can use another bottom to cycle through 10 or more keys.

      It would even work with third party websites for those who already use a e-wallet that stores their passwords it could authenticate against the password from the paperkey and every time you login to a service it changes the password automatically.

      And of course passwords could be generated to be 256 characters long using symbols, now that would take a long time to brute force.

      link to this | view in chronology ]

  • identicon
    darryl, 26 Jun 2011 @ 1:33am

    FBI does not need the passwords anyway !

    It's all a pointless argument anyway about password security, that security is only to stop any other user of the service from accessing someone elses data.

    It does not stop someone with system admin rights to view all the data files that are on the server in PLAIN TEXT !.

    So they dont even have to crack the passwords to access the information that people are storing on their servers.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.