FBI Quietly Returns Anonymizing Server It Seized... Without Telling Anyone

from the but-the-whole-thing-was-caught-on-video dept

You may recall the uproar a few weeks ago when the FBI seized a server used by activists to keep their information anonymized. The server was used by Riseup Networks and May First/People Link. The FBI claimed it needed it as a part of an investigation into bomb threats at the University of Pittsburgh, but it was quite disruptive for lots of legitimate users. And, of course, seizing the server did nothing to stop the bomb threats, which kept coming.

However, the story is now getting more bizarre, as the FBI appears to have simply put the server back in the cabinet without telling anyone -- but the whole thing was caught on video (found via Slashdot).

The feds seem to be getting into a bit of a habit of seizing things through cluelessness and then sheepishly returning them later. Still, the folks who own the server are quite reasonably uncomfortable about using it again:
May First/People Link has removed the server from the facility and is in the process of analyzing it. The server will not be put back into production.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bomb threats, fbi, seizure, university of pittsburgh
Companies: may first/people link, riseup networks


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    MonkeyFracasJr (profile), 4 May 2012 @ 9:49am

    Will not be put back in to production ...

    It would be a 'hoot' to hear later that they found some malicious eavesdropping software or back-door trojan install prior to return.

    link to this | view in chronology ]

  • icon
    apauld (profile), 4 May 2012 @ 9:50am

    C'mon smile!

    you're on candid camera!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 May 2012 @ 9:55am

    "sheepishly"

    Wow. You really are off on it today, aren't you Mike?

    link to this | view in chronology ]

    • identicon
      Rabid Troller, 4 May 2012 @ 10:56am

      Re:

      fuck off, jack. this is MY turf.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 May 2012 @ 11:51am

      Re:

      How would you describe them sneaking the server back in place without telling anyone that they, were doing it or planned to do it?

      Cause you are right they are far too brazen to be sheepish, I was thinking more dickish.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 May 2012 @ 9:56am

    Let me add this too: Have you considered that perhaps they took the server, copied the contents of the hard drives, and then returned it, because holding the actual server wasn't doing anything for them?

    You are so narrow minded.

    link to this | view in chronology ]

    • icon
      MonkeyFracasJr (profile), 4 May 2012 @ 9:59am

      Re:

      I am a cynic but I really don't see the gov't bothering to do the extra work of returning something if they don't have a VERY compelling reason to do so. They didn't return it out of the 'goodness in their hearts'.

      link to this | view in chronology ]

    • icon
      Ninja (profile), 4 May 2012 @ 10:03am

      Re:

      I'm skeptical. They are the same FBI that sneaks gps tracking devices on aleatory cars without warrants just because they think they can. What would prevent them from altering the hardware in the same manner?

      link to this | view in chronology ]

      • icon
        Ninja (profile), 4 May 2012 @ 10:06am

        Re: Re:

        Oh how convenient, look at the link that just popped on my tweeter: http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites-now/ courtesy of @VizFoSho and CNET.

        link to this | view in chronology ]

        • icon
          Ninja (profile), 4 May 2012 @ 10:09am

          Re: Re: Re:

          For the grammar nazis: I know I wrote Twitter wrong. Bad habit that started with a joke.

          link to this | view in chronology ]

        • icon
          :Lobo Santo (profile), 4 May 2012 @ 10:15am

          Re: Re: Re: JCF!!

          Jesus fuck, why doesn't the FBI just put out a missive that says "you are required to lay bare all of your user data to any script-kiddy level hacker" and call it gott-damn day?

          Anybody with a brain can tell you that's exactly where it will go--spoof up a "I'm from the FBI" ip address and use a user name and password you got from Robert Hackerton's phone calls and ta-da!, you're the gott-damm FBI and can look at anybodys' data in any company...

          *Grrr!...*

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 4 May 2012 @ 11:21am

            Re: Re: Re: Re: JCF!!

            Anybody with a brain can tell you that's exactly where it will go--spoof up a "I'm from the FBI" ip address [...]

            No need. Easier to just take advantage of their generosity: FBI lost 160 laptops in the last 44 months.

            Anybody want to guess how many more they've lost since?

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 4 May 2012 @ 11:46am

              Re: Re: Re: Re: Re: JCF!!

              None... Sabu sold them , they where never lost : )

              link to this | view in chronology ]

        • icon
          Nigel (profile), 4 May 2012 @ 11:05am

          Re: Re: Re:

          "http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites-now/"

          I can see that reason and discourse has no place in the US any longer. I think its about time for pitchforks and torches.

          And a hearty welcome to today's troll overlord.

          N.

          link to this | view in chronology ]

        • icon
          A Guy (profile), 4 May 2012 @ 11:22am

          FBI meets DRM

          Wow, the FBI's version of DRM. Not only will everyone know about it because everyone will have to install it, but it will only affect those stupid enough not to remove/block it.

          There will be sites dedicated to removing it since everyone will have to know about it.

          Not only that, but it also doesn't affect open source apps (are they really going to show us the source code too?), especially those with international production/collaboration because there will be no requirement to include it.

          I guess stupid criminals would be the target of this, because it won't catch anyone else.

          link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 May 2012 @ 10:11am

      Re:

      Uh, I don't understand much about law enforcement procedures but, if that's all they wanted to do, couldn't they have copied all the data on site in like an hour or something?

      Why seize the server?

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 May 2012 @ 10:21am

        Re: Re:

        Actually, much simpler: just take the disks. They might need to do some forensics after all.

        But if their only concern is data, they certainly wouldn't need the whole machine, right?

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 May 2012 @ 9:26pm

        Re: Re:

        "Why seize the server?"

        Considering the wide variety of methods for writing to disk, and the existance of everything from raid to mirrors, to custom striped writing, taking the disks alone would be a serious no-no. The only way to get data reliably off a server is to the use the server (or full configuration) that wrote the data to start with.

        Otherwise, you end up with a serious waste of time and effort, as you fight to try to figure out which disk goes where, which one is the mirror, and so on.

        You also have to assume that they ran a deleted file recovery program, to get back anything that had been deleted recently, adding more data to the pot. You can't generally do that in an hour.

        link to this | view in chronology ]

    • icon
      Trails (profile), 4 May 2012 @ 10:45am

      Re:

      I agree, there are in fact many things Mike did not consider.

      He did not consider, for example, that the server was part of skynet, and was about to become self aware and launch missiles at Russia in an effort to wipe out humanity. Thank God we averted that disaster, and how dare Mike besmirch the names of our heroes!!!

      link to this | view in chronology ]

      • icon
        Berenerd (profile), 4 May 2012 @ 11:41am

        Re: Re:

        You have this all wrong....

        They took the server, convinced it that it wanted to take over the US' arsenal of nuclear weapons to blow up Russia in an attempt to destroy humanity when in reality it just wanted to play a game of chess. With this information the FBI took the server and claimed they thwarted another "cyberthreat" proving the need for CISPASOPAPITAPATASATA

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 May 2012 @ 10:52am

      Re:

      The original storage media is "best evidence" and is far easier to have admitted to court than an image (copy). Had the FBI found evidence on the drives related to felony threats they most certainly would have retained the originals.

      Mike is not narrow minded, you are ignorant.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 May 2012 @ 6:57pm

        Re: Re:

        Be fair, he might be ignorant and Mike might be narrowminded, I for one have no knowledge of his attitude to threesomes.

        link to this | view in chronology ]

    • icon
      The eejit (profile), 4 May 2012 @ 1:42pm

      Re:

      Then why not do that in the MU case? I'm pretty sure the circumstances are similar. But then that would be sensible.

      link to this | view in chronology ]

    • icon
      bosconet (profile), 4 May 2012 @ 2:37pm

      Re:

      That is almost certainly what they did. However one wonders how much it will help them in my experience most 'forensics' people are clueless with anything but Windows.

      link to this | view in chronology ]

      • icon
        G Thompson (profile), 5 May 2012 @ 1:18am

        Re: Re:

        uhuh..

        Seeing as I am one of those 'forensics" people. I NEVER use windows based systems to analyse anything unless that is just to write up affidavits and/or case files because the *nix boxes are used for something else..

        LEO's use Win based systems like Encase etc because they are sadly not as trained as they need to be (or want to be in some cases).

        *nix is the only way to look at Windows (and Mac) systems without changing or destroying the original source. This is true on both live and non-live systems.

        link to this | view in chronology ]

    • icon
      G Thompson (profile), 5 May 2012 @ 1:12am

      Re:

      What like they might of just copied all the files that they needed for a criminal investigation and then gave back the original server because they have all the evidence they need?

      Well if thats the case, the evidence they have is now totally worthless since it is not probable, can not be authenticated, can not be analysed by opposing side, and is pure fruit of purloined/poisoned tree.

      You see if they are using it as evidence in a criminal investigation (and this applies to civil also) under rules of Evidence the original digital source has to be preserved in its original state. Giving it back to someone whilst investigation and any/all proceedings still underway is absolutely the wrong thing to do.

      Also I'd like to know if the FBI had authority to re-enter and replace the item in question. You know like in a warrant, court order, etc.

      This whole removal and giving back system in this sort of way leads me to suspect ulterior quasi legal motives by the FBI. I would never allow that server to be re-used ever and just destroy it. This also would further frustrate the FBI's criminal investigation too. Well unless they have an order to not destroy it, though that might be a secret.

      link to this | view in chronology ]

  • icon
    Ninja (profile), 4 May 2012 @ 9:57am

    I'm amazed and amused at how incompetent the FBI (and the authorities in general) are at keeping a low profile. This wouldn't be in the news if they had returned the hardware telling it was properly analyzed and showed no evidence that could be used with an apology letter. Srsly. But news about the FBI making a blunder and sneaking seized assets quietly are much more candy to the mainstream media.

    Still, it's good because it's exposing how they are abusing their power and stretching the laws in their own benefit.

    link to this | view in chronology ]

  • icon
    :Lobo Santo (profile), 4 May 2012 @ 10:05am

    The future of techdirt

    Well, one of the items on the 'is your nation a fascist regime?' checklist is that criticizing the government becomes illegal (any day now).

    I'm'a miss techdirt when it's taken down as a "homegrown terrorist" site--due to pointing out clueless/malicious government actions.

    link to this | view in chronology ]

  • icon
    BentFranklin (profile), 4 May 2012 @ 10:10am

    Wait, what? The FBI took it and then reinstalled it, both times on the sly?

    It doesn't say whether ECN was notified, but they must have been, if only to indicate which rack was MF/PL's colo. They were probably ordered not to tell their customer anything on the removal. But on the reinstallaion, that's just bizarre.

    Also, what's the FBI doing in Italy? There must be more to that story as well.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 May 2012 @ 10:14am

    Was it one of their own terror plots that the fbi was instigating?

    link to this | view in chronology ]

  • identicon
    Damien BIZEAU, 4 May 2012 @ 10:16am

    Killer Scientists

    Killers Scientists are behind many VERY dangerous activities since 1952. I have personally experienced a major scam against me and my loved ones they have been operating for at least 3 decades. Beware of scientists: all they want is to steal your money, your ideas, your life in whole + it tremendously affects your day to day dealings in your life and in the live of those you love or like. The T.G.I of Chartres (FRANCE) and International Authorities are currently resolving my case against the scientist "people" - I NEVER PARTICIPATED IN ANY ACTION TO SERVE A SCIENTISTS' CONCEPT OR WAY OF LIFE! From: Damien Yves Daniel BIZEAU / 29/04/1971 - French Catholic.

    link to this | view in chronology ]

    • icon
      Jeff (profile), 4 May 2012 @ 11:12am

      Re: Killer Scientists

      Le'dude - your tinfoil hat fell off...

      link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 4 May 2012 @ 12:26pm

      Re: Killer Scientists

      Yep. Scientists: All united in a global conspiracy to do stuff to you. Which has something to do with the FBI seizing servers.

      link to this | view in chronology ]

    • identicon
      Le Scientist, 10 May 2012 @ 7:44am

      Re: Killer Scientists

      MUAHAHAHAHAHAHAHA!!

      Keep drumming! We're on to you and soon our armies of nano clones will modify your RNA so that you love us and accept us as your technocratic overlords!!!

      The time draws nigh!

      MUAHAHAHAHAHAHAHAHAHAAHAHAHAHAHAHAHAHAHA!!!

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 May 2012 @ 10:20am

    Not to cross over, but @Ninja

    Woof, woof.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 May 2012 @ 10:21am

    It appears the Men in Black forgot to use their memory eraser flash to erase all remembrance of the incident.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 May 2012 @ 10:24am

    Who holds the FBI accountable to its employers?

    No, I mean seriously. The people do pay their salaries after all.

    p.s.: LOL. Read comment #14 carefully.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 May 2012 @ 10:26am

    I bet the FBI put a GNU/Linux back door into the UEFI.

    link to this | view in chronology ]

    • icon
      Baldaur Regis (profile), 4 May 2012 @ 12:08pm

      Re:

      All the owners have to do is grep for new files with cool-sounding names like "predator.*" or "donotopen.*". Subtle the FBI is not.

      link to this | view in chronology ]

  • icon
    Overcast (profile), 4 May 2012 @ 10:29am

    "May First/People Link has removed the server from the facility and is in the process of analyzing it. The server will not be put back into production"

    That's sad, if you think about it.

    Millions may use it a day for web surfing - and they are ok with that, but let the FBI mess with it a couple days and the trust goes out the window.

    That's basically saying, 'we trust the general population at large, more than the FBI'.

    Can't blame them.

    link to this | view in chronology ]

    • identicon
      John Q. Public, 4 May 2012 @ 10:34am

      Re:

      I resemble that remark.

      link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 4 May 2012 @ 12:30pm

      Re:

      If it was fully installed and powered on, it may be too late. The server farm and network could already be infected if the Feds wanted to play that game. I never know if I am giving them too much credit by making such a suggestion, but they do seem to have their moments of competence.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 May 2012 @ 6:59pm

        Re: Re:

        They do? Anything in particular in mind or have you been watching too many movies?

        link to this | view in chronology ]

  • identicon
    FBI Agent, 4 May 2012 @ 10:33am

    Terrorists, children, national security.

    Trust us.

    link to this | view in chronology ]

  • icon
    Overcast (profile), 4 May 2012 @ 10:42am

    "Actually, much simpler: just take the disks. They might need to do some forensics after all.

    But if their only concern is data, they certainly wouldn't need the whole machine, right?"


    Good point and they wouldn't even need the disks, I'm thinking too. Just an image would do, I would think, since the only concern was the data/logs - I'm guessing.

    Perhaps this speaks to their ability... but maybe there's some other reason they would need all of the hardware.. heh...

    link to this | view in chronology ]

  • icon
    Overcast (profile), 4 May 2012 @ 10:45am

    Let me add this too: Have you considered that perhaps they took the server, copied the contents of the hard drives, and then returned it, because holding the actual server wasn't doing anything for them?

    You are so narrow minded.


    They could have used Symantec System Restore - for instance, and wouldn't have even had to take the server offline.

    USB hard disk - run SSR - get image - go. No downtime. It's done all the time where I work - daily as a matter of fact, for DR.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 May 2012 @ 11:20am

      Re:

      Geez... I'm shocked they didn't think of something like that.

      I mean I'm sure your awesome idea covers all those pesky details like chain of custody and post image modification.

      You're really onto something there son...most people don't take the time to think thru things before they just throw out some half-assed idea, but you...wait I see what (I hope) you did there.

      Well played, I almost fell for it and assumed your were a world class nit-wit.

      link to this | view in chronology ]

      • identicon
        Rabid Troller, 4 May 2012 @ 11:38am

        Re: Re:

        hey asshole, central assigned this blog to ME today. besides, didn't you get the memo that snarkiness is being phased out? REDIRECT the conversation, preferably into arcane legal nonsense.

        and learn how to misspell, you fucking nOOb.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 4 May 2012 @ 11:56am

          Re: Re: Re:

          Those servers took 100% of the bandwidths money and gave no one any contracts. FUCKING JUST TRY AND DENY IT!

          link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 May 2012 @ 12:15pm

      Re:

      Best forensics practices are to take the entire machine.

      When they arrive on site they take picutes of the front and back of the rack and chasis then pull the power on the server. All of the connections (video, network, USB, keyboard, mouse, etc) are logged.

      They want to get the evidence back to the lab in order to ensure that the evidence is not tampered with. If you image the drives on site you run the risk of someone attempting to damage or destroy them.

      Chain of custody needs to be maintained and you want to have the best evidence possible, the original hard drives will always be better evidence than an image.

      Evidence may also be found in other locations like the BIOS. The BIOS clock time is needed because it may effect file time stamps. You do not want to reboot with the drives present because the prompt to view BIOS may be set so that it does not display, the OS boots and then a pre-existing program installed by the suspect is run that destroys data. The BIOS may be logging events not captured by the OS.

      The hard drives must be connected to a devices that prevents any data being written to them, see Tableau (www.tableau.com).

      The warrant, available on EFF's site, specifically referenced a MAC address. It is easier for the procecution to prove that the FBI seized the correct server by providing evidence of the physical device, that can be verified by a court appointed third party, then to prove it via the MAC address data present on the drives.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 4 May 2012 @ 3:04pm

        Re: Re:

        You act like these people are going to spend more than they're making trying to get away with a potential crime that someone else is performing.

        This was a very bad example of how the government should handle a situation. The people hosting this server are not the enemy, they aren't running some wild conspiracy to get away with allowing bomb threats to continue. If they really wanted to do all that you say for some reason, as if that would even help them get away with anything, they could have easily designed the device to destroy all relevant data upon being unplugged. Have a small battery in the device so that when it loses power and everything else gets unplugged, everything gets automatically deleted. Then when the feds raid the device everything gets quickly deleted by the time it reaches the station.

        If you assume that the people here being raided are the enemy and that they will go through all of the very expensive effort you mention in your post to get away with allowing someone else to engage in such illegal activities (whereby they have absolutely nothing to gain from it and they're spending a ton of money on this endeavor to run their servers) then there are much simpler ways for them to get away with it. The device can store all of the relevant information in RAM only so that when it gets unplugged everything gets deleted. Software for that would be easy enough to write and these servers can easily have 32 GB ram (or more). It would be simple enough to hide stuff.

        No, what the feds should have done (first), and what the common sense approach is, is for them to request to work with the anonymizer admins to catch the culprits. Chances are they would have been more than happy to work with the feds on the matter.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 4 May 2012 @ 9:18pm

          Re: Re: Re:

          You act like these people are going to spend more than they're making trying to get away with a potential crime that someone else is performing.

          I said nothing of the kind. I stated that the imaging of hard drives from a siezed server results in obtaining best evidence and that attempting live acquisition could result in mistakes that result in data loss, including activation of programs that destroy data.

          Nowhere did I say that May 1st, et al, had such programs, would use such programs, or had done anything wrong. I do not like the fact that any speach on the server was censored (via lack of availability) during the time it was off line.

          This was a very bad example of how the government should handle a situation. The people hosting this server are not the enemy, they aren't running some wild conspiracy to get away with allowing bomb threats to continue. If they really wanted to do all that you say for some reason, as if that would even help them get away with anything, they could have easily designed the device to destroy all relevant data upon being unplugged. Have a small battery in the device so that when it loses power and everything else gets unplugged, everything gets automatically deleted. Then when the feds raid the device everything gets quickly deleted by the time it reaches the station.

          How should the government have handled it then?

          Again, I never said anyone was "the enemy".

          You would actually need a large battery to power a server. Servers are not like a laptops, they consume a lot of power.

          Deleting a file does not destroy it, it simply marks an entry in the file system letting the OS know that the sectors on which the file resided are now available for use. The data remains until it is overwritten. In some instances data can reside in "file slack" even after it has been overwritten by a new file. In order to truly destroy the data it needs to be wiped. Wiping a 250 GB SATA hard drive with one pass can take up to 8 hours. There have been instances where warrants are served and law enforcement finds that a suspect is deleting files, formatting the drive, or is wiping a drive. Some data will be lost but the vast majority will still be present.

          If you assume that the people here being raided are the enemy and that they will go through all of the very expensive effort you mention in your post to get away with allowing someone else to engage in such illegal activities (whereby they have absolutely nothing to gain from it and they're spending a ton of money on this endeavor to run their servers) then there are much simpler ways for them to get away with it. The device can store all of the relevant information in RAM only so that when it gets unplugged everything gets deleted. Software for that would be easy enough to write and these servers can easily have 32 GB ram (or more). It would be simple enough to hide stuff.

          First you state "they will go through all of the very expensive effort" then you state "Software for that would be easy enough to write". So is it expensive or not? Here's a hint, it is the latter.

          Its possible that software can be specifcally written to load into RAM only but you fail to consider that it is possible to perform forensic analysis on RAM and that the contents are RAM are often written temporarily to the hard drive in a "swap" file.

          No, what the feds should have done (first), and what the common sense approach is, is for them to request to work with the anonymizer admins to catch the culprits. Chances are they would have been more than happy to work with the feds on the matter.

          "anonymizer admins"? You have no idea how a multi-node anonymity tool functions do you? Do you honestly beleive that May 1st would have allowed the FBI to monitor the traffic flowing through their server?

          Either you are a brilliant troll or you are profoundly naive. I sincerely hope its the former, if so I congratulate you and will heartily LOL at myself.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 4 May 2012 @ 9:55pm

            Re: Re: Re: Re:

            "I said nothing of the kind."

            You absolutely did. For example, you said

            "You do not want to reboot with the drives present because the prompt to view BIOS may be set so that it does not display, the OS boots and then a pre-existing program installed by the suspect is run that destroys data. "

            This argument is based on the premise that the server admins are likely enough to be intentionally facilitating the undesired activity and expending a lot of effort to hide said activity. Otherwise, what's the point of your sentence?

            "You would actually need a large battery to power a server."

            Depends on how long it needs to be powered and how much of the server needs to be powered for things to get deleted.

            But you're still missing the point. My argument isn't that my suggestions would be easy, on the contrary, the argument is that they are difficult and require a whole lot of sophisticated coordination. My point is that your suggestions are about just as difficult to conspire and also require a whole lot of coordination.

            "Wiping a 250 GB SATA hard drive with one pass can take up to 8 hours."

            Who said anything about them whipping the entire data. Only the potentially incriminating data needs to be whipped. Again, the argument isn't that it'll be easy to implement, just that if the server admins were determined enough to allow those making these bomb threats to get away with them, as your post seems to suggest based on the amount of effort they would have to expend to avoid getting caught, there are ways that it can be done that can just as well circumvent what the feds did here.

            "Its possible that software can be specifcally written to load into RAM only but you fail to consider that it is possible to perform forensic analysis on RAM and that the contents are RAM are often written temporarily to the hard drive in a "swap" file."

            Not if the software is designed to load the data into ram only. Truecrypt already does this with unencrypted data, for example. Yes, the contents in ram are often written to the hard drive in the form of swap unless software is specifically written to prevent potentially incriminating content from being written. Again, you're the one assuming the possibility that these people are attempting to expend a lot of effort to conceal incriminating data and my point is that, if they really want to expend all of the effort that you suggest, there are smarter ways to do it than the ways that you suggest. Just because you can think of a narrow situation in which unplugging the server first might prevent potentially incriminating data from being deleted doesn't mean that those willing to expend all the effort you suggest can't find a smarter way to do it.

            "it is possible to perform forensic analysis on RAM"

            and find what, exactly? Nothing? If it were possible to extract a significant amount of useful information from unpowered ram ... we wouldn't have this problem of needing to re-load ram every time the computer undergoes a cold boot.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 4 May 2012 @ 11:40pm

              Re: Re: Re: Re: Re:

              In a situation where there is good reason to believe that the server admins might be intentionally facilitating illegal activities then you may have a point. But here there is no good reason to believe this. If anything, unplugging the server erases ram which could potentially delete important information. Working with the server admins is a better option, the server admins know their network best and are in a much better position to (help the feds) track the culprit from their location (without removing the server).

              link to this | view in chronology ]

            • icon
              G Thompson (profile), 5 May 2012 @ 3:23am

              Re: Re: Re: Re: Re:

              "it is possible to perform forensic analysis on RAM"

              and find what, exactly? Nothing? If it were possible to extract a significant amount of useful information from unpowered ram ... we wouldn't have this problem of needing to re-load ram every time the computer undergoes a cold boot.


              This comment and the others above show you have no knowledge of what modern Digital Forensic techniques are nor about what they can find. Whatever you find whether that be contextually valid to what the investigators are searching for or that nothing whatsoever is found is what forensics is all about. It is the science of what IS not of what you wish or don't wish to find

              And if you really think un-powered RAM doesn't or cannot hold anything of value than keep thinking that, makes our jobs seem much more magical and gives us the Ooooo factor when we show what we actually can analyse.

              link to this | view in chronology ]

              • identicon
                Anonymous Coward, 5 May 2012 @ 9:21am

                Re: Re: Re: Re: Re: Re:

                It possibly can, but you have to keep it very cool to prolong any information and, even then, the information quickly dissipates with time. What the feds need to do is do some common sense risk assessments.

                "If you image the drives on site you run the risk of someone attempting to damage or destroy them."

                and if you unplug the machine much of the information in ram invariably does get lost. So the risks are, server admins doing something nefarious if you work with them vs losing important data in ram by unplugging the machine first. In this situation, the later is a much bigger risk being that the risk here of the server admins attempting to conceal the bomb threats is almost zero.

                There are much easier and more reliable methods to extract the data than to simply unplug everything first, better methods that apply here, like working with the server admins. If the server admins wished to conspire to make sure the data is not recoverable as stated above they could find ways to make sure all important data does get deleted from ram first. Ram alone doesn't take much to power and having some internal battery-system quickly scramble it upon being unplugged maybe difficult but feasible for someone determined enough (as the original post suggests).

                link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 5 May 2012 @ 10:07am

                  Re: Re: Re: Re: Re: Re: Re:

                  and I think this might be a good example where bureaucracy gets in the way of common sense. In other situation, where there is reasonable suspicion that the server admins might be in on it, it might make more sense to simply unplug the server first. but in this situation, where no such reasonable suspicion exists, it's probably much better to work with the server admins on the case.

                  link to this | view in chronology ]

                  • icon
                    G Thompson (profile), 5 May 2012 @ 9:48pm

                    Re: Re: Re: Re: Re: Re: Re: Re:

                    This is not a case of bureaucracy getting in the way of common sense.

                    It is a case of correct procedures when dealing with criminal investigations getting in the way of how you think the world should operate.

                    Chain of Custody aside, you do not rely on non authorised parties to 'help' unless they are willing under orders/oath to suffer any and all consequences for any untoward situations that may develop.

                    The investigation not only has to be seen to be unbiased it needs to be unbiased otherwise the spectre of impropriety can and will be raised by any opposing counsel.

                    I agree that a live system is preferable to one that is powered off, but there are means of reducing the loss of volatile data that you can perform before turning off any device, and I can assure you the FBI High Tech Units know all about those methods.

                    link to this | view in chronology ]

                    • identicon
                      Anonymous Coward, 5 May 2012 @ 11:14pm

                      Re: Re: Re: Re: Re: Re: Re: Re: Re:

                      Fair enough, you make some good points. Thanks for the insight.

                      link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 5 May 2012 @ 8:09pm

                  Re: Re: Re: Re: Re: Re: Re:

                  So the risks are, server admins doing something nefarious if you work with them vs losing important data in ram by unplugging the machine first. In this situation, the later is a much bigger risk being that the risk here of the server admins attempting to conceal the bomb threats is almost zero.

                  G Thompson is right, you know absolutely nothing about digital forensics. Almost all systems are siezed by pulling the power on the machine. You keep saying there are smarter ways to do it. OK, what are these smarter ways of analyzing the contents of the drives?

                  Do you really beleive that the placing trust in persons unknown to the FBI justifies the risk and threat of loss of the data?

                  Placing trust = risk and threat of action by bad actor
                  No trust = far less risk and threat

                  link to this | view in chronology ]

  • icon
    Eponymous Coward (profile), 4 May 2012 @ 11:02am

    Seriously, guys

    We didn't do anything to the hardware. Pinky-promise. We just, umm, thought that the server looked a little dirty and wanted to give it a good dusting.

    Separate issue, how exactly do they get into the server room on two separate occasions without anyone being notified? Someone had to see a Gorram warrant the first time, at least? Or did Agent Coulson there work his magic on the janitor to get the keys?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 May 2012 @ 12:01pm

      Re: Seriously, guys

      I feel like you could walk up to most people and flash your FBI badge and say "open that door" and the door would open.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 May 2012 @ 11:37am

    They should just virtualize the server. It would be much harder for the FBI to take the production server if it has the ability to jump from server to server.

    link to this | view in chronology ]

  • icon
    V (profile), 4 May 2012 @ 11:43am

    Who watches...

    Who watches the Watchers?

    link to this | view in chronology ]

  • icon
    Overcast (profile), 4 May 2012 @ 1:13pm

    The original storage media is "best evidence" and is far easier to have admitted to court than an image (copy). Had the FBI found evidence on the drives related to felony threats they most certainly would have retained the originals.

    Mike is not narrow minded, you are ignorant.


    But now then the question becomes - are they allowed to seize property and not even have an idea of what's on it?

    So they can just grab whatever - look at it, and if there's nothing on it, just return it and act as though nothing has happened? That's what this seems to indicate.

    What about probable cause now?
    Can and will this company now sue them - after all, they have potentially (like so many copyright claims) lost revenue due to this.

    Obviously - there was no good evidence on the server that would be needed in court since they have returned the server. And if they did image it, and will later use the image in court - why take the server in the first place?

    But the big part is - anyone in IT should well know that the physical disks in an array are meaningless really. An image is all you really need.

    If that server was using any type of RAID 0, 5, 6, etc - array, all of those physical disks could be swapped out, but the data would remain, assuming they were given time to rebuild the array between swaps - what good are the physical disks then?

    Unless there is suspicion that data is being deleted to cover any evidence - but even then, a sector-by-sector image would still capture that, unless they are meaning to put the platters under an electron microscope - then the physical disks (assuming they haven't been swapped with other drives in the recent past) might be helpful, but really - only then.

    The point is - if the FBI had a clue, they could have made an image of the server and only the operators of the facility would have known. The server would never have been offline, RiseUP wouldn't have lost any uptime or even known the image was taken.

    It's both an IT fail and a police work Fail.

    Now.. they have returned the server, without notifying the owner that is was ever being taken - which obviously means there was no warrant. In all likelihood - the right lawyer would have gotten that evidence tossed right out of court due to improper procedures in evidence gathering anyway.

    Would seem to me, the best way to do this would be to - get a warrant - contact the data center facility - image the server (without Riseup knowing) - then if any potential evidence was on there - get a warrant to seize the server.

    But the FBI doesn't really seem to be all to concerned with following the law from the start anymore.

    link to this | view in chronology ]

  • identicon
    Digitari, 4 May 2012 @ 2:00pm

    Re:

    something just occurred to me, cause, ya know not only do I wear a tin hat, I had my entire head made of tin, it's the only way to be certain.

    what if the FBI was told by the NSA or CIA that they HAD to put the sever back else how will OUR spies be able to contact us.

    Could this have been an inter-service fuck up??


    Food for (the very paranoid) thought.

    Also, the reason is Obvious why they didn't just copy it, FBI is not a bunch of freetards, that would be Copyright infringement, and that's a hanging offense in DC doncha know.

    (this is mostly sarcasm,{or irony} mostly)

    link to this | view in chronology ]

  • identicon
    LyleD, 4 May 2012 @ 2:45pm

    Not sure where I read it now, but another theory was it was all about disrupting the May Day Occupy protests...

    Removed, April 18th 2012
    Re-installed, May 4th 2012

    Just-Saying

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 May 2012 @ 3:48pm

    You can read the warrant on the EFF's web site: https://www.eff.org/sites/default/files/May%20First%20Server%20Search%20Warrant.pdf

    First, IANAL. Second, I also have doubts and criticisms of how the FBI handled this.

    But now then the question becomes - are they allowed to seize property and not even have an idea of what's on it?

    The FBI did not ask for a warrant to browse the files on the server to see what was there. The FBI went to the judge with evidence of an e-mail bomb threat sent to the University of Pittsburgh that bore the originating IP address of the May First/People Link/Riseup server.

    BTW, the bomb threats began in February: http://www.huffingtonpost.com/2012/04/24/pitt-bomb-threats-finished_n_1448956.html

    So they can just grab whatever - look at it, and if there's nothing on it, just return it and act as though nothing has happened? That's what this seems to indicate.

    My limited understanding is that the unfortunate answer is yes.

    What about probable cause now?

    My understanding is that probable cause was established with the bomb threat e-mail sent from the May 1st server.

    Can and will this company now sue them - after all, they have potentially (like so many copyright claims) lost revenue due to this.

    I don't know. I am not saying its right, but running the MixMaster mail relay would most likely not help their cause. If you use TOR as an exit node you risk the police kicking your door down because someone was browsing something that is illegal and it traces back to your IP. If you run TOR as an exit node you face that risk. If you run MixMaster re-mailer ... Again, I'm not saying its right.

    But the big part is - anyone in IT should well know that the physical disks in an array are meaningless really. An image is all you really need.

    You are correct, but law enforcement and prosecutors always want to present best evidence. The physical media is the best evidence not the image.

    If that server was using any type of RAID 0, 5, 6, etc - array, all of those physical disks could be swapped out, but the data would remain, assuming they were given time to rebuild the array between swaps - what good are the physical disks then?

    This is true, but as has been pointed out so many times on TechDirt our courts struggle mightily to understand IT and ofter get it very wrong. The prosecution gains nothing by making an image and returning the original drives/best evidence then have to explain parity, checksums, RAIDs, etc to a judge that can't work their iPhone.

    Unless there is suspicion that data is being deleted to cover any evidence - but even then, a sector-by-sector image would still capture that, unless they are meaning to put the platters under an electron microscope - then the physical disks (assuming they haven't been swapped with other drives in the recent past) might be helpful, but really - only then.

    You are correct, if the data exists on the original evidence then it will exist on the image.

    I did not realize it was possible to read data from a hard drive using electron microscopy. Would you please post a link?

    The point is - if the FBI had a clue, they could have made an image of the server and only the operators of the facility would have known. The server would never have been offline, RiseUP wouldn't have lost any uptime or even known the image was taken.

    Live acquisition involves altering the evidence. An agent has to be placed on the server or an exploit utilized to obtain access. This method does not ensure a total acquisition of data the way the imaging of drives that have been removed from the server does. Live acquisition also involves a risk of detection followed by possible interference and/or destruction of data.

    The point is - if the FBI had a clue, they could have made an image of the server and only the operators of the facility would have known. The server would never have been offline, RiseUP wouldn't have lost any uptime or even known the image was taken.

    It's both an IT fail and a police work Fail.


    I disagree that the best course of action is imaging the drives in the facility because you do not have best evidence or chain of custody and you risk detection/interference. The methods you propose are valid but result in increasing the burden on law enforcement and the prosecution. From their perspective none of what you propose justifies the increased effort and burden that results.

    Now.. they have returned the server, without notifying the owner that is was ever being taken - which obviously means there was no warrant. In all likelihood - the right lawyer would have gotten that evidence tossed right out of court due to improper procedures in evidence gathering anyway.

    A warrant was obtained and it appears to have been legally served.

    Would seem to me, the best way to do this would be to - get a warrant - contact the data center facility - image the server (without Riseup knowing) - then if any potential evidence was on there - get a warrant to seize the server.

    Off line imaging in the lab ensures non-intereference and obtaining a complete capture of all data. Live acquisitions risks detection and destruction of data.

    Hoping the employees of the data center maintain secrecy is just not realistic.

    So the first warrant would allow the FBI to search for "any potential evidence"? I don't think that's a good idea ...

    But the FBI doesn't really seem to be all to concerned with following the law from the start anymore.

    I can't agree without knowing whether or not there were other e-mail threats from other servers within the US. If there were and they were not also seized then I would ask why not.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 4 May 2012 @ 9:30pm

      Re:

      You hit it - the mail coming from that server is more than enough probably cause to seize the server to try to identify who the email is coming from. The group should consider themselves lucky that they didn't convince the judge to take everything they had - instead of just one server.

      I think it's too bad that Mike has no understanding of what it takes to get this done.

      link to this | view in chronology ]

    • icon
      ShivaFang (profile), 5 May 2012 @ 7:52am

      Re:

      Thanks for posting the warrent.

      The warrent clearly indicates taking the drive or any other storage devices that the information is on, so a lot of the complaints in this thread are therefore moot.

      Putting the drive back covertly instead of giving it back is a little weird though.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 5 May 2012 @ 12:31pm

        Re: Re:

        warrant *

        Fair enough. If a court warrant authorized the property be confiscated then maybe it wasn't so bad. But I still think this could and should have been handled a little better and there are more effective ways to catch the culprits by working with the server admins which would

        A: be more likely to catch the culprits

        B: Would result in no (or less) unnecessary server downtime.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 5 May 2012 @ 12:32pm

          Re: Re: Re:

          (and, better yet, could help catch the culprits in the act).

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 5 May 2012 @ 12:32pm

            Re: Re: Re: Re:

            but if the server is down, the culprits will just jump to someone elses server.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 5 May 2012 @ 6:56pm

              Re: Re: Re: Re: Re:

              Another option available to the FBI is packet capture and analysis. The problem with this is that if MixMaster is multinodal the way Tor is then your chances of having another bomb threat get routed through the same node that is being monitored may take a long time or not happen at all. Please keep in mind this whole thing is in response to bomb threats against a University that have been going on since February, this is not the same as ICE's trumped up domain seizures.

              I do not like that May 1sts server was off line for so long and I hope that they are able to seperate the MixMaster to another server that does nothing other than e-mail relay.

              link to this | view in chronology ]

  • identicon
    Wolfy, 4 May 2012 @ 4:18pm

    If you don't think the gov't controls the media, ask yourself why this story isn't on CNN.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 May 2012 @ 4:37pm

    Mike now you ruined their stealth surveillance chances, the guy will go there and see if any bugs where planted on the damn thing.

    link to this | view in chronology ]

  • icon
    Disgusted (profile), 4 May 2012 @ 10:13pm

    Our Wonderful Government

    How is the Government, as embodied in this administration, any different than the real Mafia? They seem to have no regard for the rule of Law. They have no regard for citizen's rights. They have no regard for the Constitution. In short, they are worse than the crime families, which, at least, have a code of ethics that they follow. This bunch justifies any crime, any action, any disregard for the Constitutional guarantees that they perform against our citizens, with the mock excuse of protecting us. Things have gotten way out of control. If they are going to act this way, then they should organize along the Mafia guidelines and adopt the Cosa Nostra code. We're already paying them tribute (taxes), and they're already acting like them, so let's make it formal. It couldn't be any worse.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 May 2012 @ 2:49am

    There is one possibility I did not see mentioned. They could have taken the server to clone it. Having a clone of a production server from a farm of similar servers would be a very good way to develop attacks to gain access later regardless of if the server was left in operation or not. Kinda like buying a lock from the hardware store to figure out how to pick every lock alike it.

    link to this | view in chronology ]

  • icon
    BentFranklin (profile), 5 May 2012 @ 7:59am

    If all they wanted was a disk image, it would have been far more deft to have the host tell their client there are technical difficulties, then let the FBI shut down the server and reboot it off line to take an image right there, then restart the server. The client and you and I would never have been the wiser.

    link to this | view in chronology ]

  • identicon
    As if, 5 May 2012 @ 4:15pm

    Not using the server

    may be a disservice to the country.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.