FBI Hacks Tor Service

[Callie Del Noire]

http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/

Okay.. I'm conflicted about this. Child Porn is a bad thing. Period. BUT.. you're crossign a dangerous line when you start breaking laws and violating the territory of allied nations like this.

This isn't counter intelligence work. This is Cyberwarfare, cut and dried. And definitely creeps into the search without warrant territory.  Very worrisome territory.

[mia h]

I wouldn't be surprised if the FBI were using the same legal justifications that were reported as being used with PRISM to get around the need for warrants and probable cause.

With PRISM they came to the legal conclusion that a search is only a search when it involves a human looking at something. So if a computer automatically sifts through information then it's not really a search. Now if that computer then reports that there might be something worth looking at within the data that then constitutes probable cause allowing the FBI\NSA etc to get a warrant to do a search. Kafka would have been so proud.

The way the article reads the FBI would definitely be breaking the law in the UK, but assume you found the FBI's little virus on your computer what do you do? Try and report them? Well that virus supposedly only targeted people looking at child-porn, so anyone who reported finding it is painting a big target on their back regardless of what they were actually doing. But if nobody reports the crime then did it really happen?

[Neysha]

Are there practical alternatives to policing child pornography hosted and accessed on hidden servers?

[Shjade]

Finding the sources instead of the viewers...? *shrug*

[Moraline]

Slightly off topic side note:   I knew I recognized the name of the guy that wrote that article...  Kevin Poulsen (Hacker name: "Dark Dante")

"One of the most feared yet idolized hackers of all time, Kevin Poulsen is considered by many to be a hacking prodigy. His youth was spent using his talents strictly for juvenile fun and the pursuit of knowledge. But the deeper he delved into hacking, the further he went to the dark side. Eventually, his criminal exploits led to the first ever espionage case leveled against a hacker. "

~ http://library.thinkquest.org/04oct/00460/poulsen.html (note: They are 10 years off on his date of birth, it should read 1965, not 1975, but it's the same guy.


"When Kevin Poulsen was 17, he used his primitive TRS-80 "color computer" to hack into the US Department of Defense's Arpanet, the predecessor of the Internet. He wasn't prosecuted. He was later a computer programmer at SRI and Sun Microsystems, and worked as a consultant testing Pentagon computer security.

In 1988, when authorities suspected Poulsen had cracked a database on the federal investigation of Ferdinand Marcos, they came after him, and he disappeared. As a fugitive, Poulsen needled the FBI by hacking federal computers and revealing details of wiretaps on foreign consulates, suspected mobsters, and the American Civil Liberties Union. He also hacked into the details on FBI front companies. At the highest levels of U.S. law enforcement, they started calling him "The Hannibal Lecter of computer crime"."

~ http://www.nndb.com/people/453/000022387/

[gaggedLouise]

Slightly off topic side note:   I knew I recognized the name of the guy that wrote that article...  Kevin Poulsen (Hacker name: "Dark Dante")

So this is the guy that inspired War Games? Or did he emulate Broderick's exploits from the film within a year of its release?

OT: Someday in not too long, there will have to appear some "non-standard internet protocols" and encrypted http to keep the governments' eyes out of what people re doing and talking about online.

[mia h]

Are there practical alternatives to policing child pornography hosted and accessed on hidden servers?

That this horrible material is being hosted on obfuscated servers isn't really the issue; how would you feel if every conversation, every email, every phone call you made was being monitored? Not because you have done anything wrong but because there is a chance than someone else has and we should stop that wrongness. We know you've done nothing wrong so when we do look into you we won't find anything, but those people who have done wrong things they won't want us looking but you're not one of them, are you?

It's very easy to use the "won't you think of the children?" argument to justify just about any action, but that doesn't make it right or legal. In this case it's the FBI, they are a civilian organization and should be subject to the same laws as everyone else but in this (and possibly many other instances) they appear to invoke a variant of the ancient rule - It's not cheating if you don't get caught.

[Moraline]

So this is the guy that inspired War Games? Or did he emulate Broderick's exploits from the film within a year of its release?

OT: Someday in not too long, there will have to appear some "non-standard internet protocols" and encrypted http to keep the governments' eyes out of what people re doing and talking about online.

I'm not really sure if Kevin Poulsen was the inspiration or not for the War Games movie. I remember watching War Games on YouTube but I don't really know much about the making of movie itself.

I think my main point in posting that was to point out that Kevin Poulsen has a clear agenda that is very anti-FBI. These guys put him in prison for 5 years before he even got a trial. They were almost ready to lock him away and throw away the key.

I don't entirely trust the source or perspective of that article. There's a lot more to be said then it tells us. I'm not saying that he's intentionally trying to make the FBI look bad but it wouldn't surprise me if he was dropping the hint of a spin on it to do it. It's just questionable overall.

[Callie Del Noire]

http://www.wired.com/threatlevel/2013/09/nsa-backdoor/

There has been an on going desire to 'read folks mail for security reasons' by the government since the idea of Email took off. To say that the man in the first article doesn't have an agenda would be stupid. He does. Does he have a point? yes he does.

Do you know that the feds have to have a warrant to access your home computer BUT don't for any smartphone they find on you when they stop you. Not arrest.. .. not charge.. but simply detain for questioning. They can pick it up, save a back up and look at anything and everything on it without a warrant or even just cause.

Now you have proof that the NSA and FBI are considering that any system they can get into isn't the same as the account books of a company or person. You are looking at a REDUCTION of personal privacy and liberty. Without any judical process involved for the most part.  Cops have been cleared to use GPS tracking, your own cell phones and other methods without needing a warrant or justification.

Sooner or later this WILL lead to abuse.  THAT is my concern.

[Neysha]

That this horrible material is being hosted on obfuscated servers isn't really the issue; how would you feel if every conversation, every email, every phone call you made was being monitored? Not because you have done anything wrong but because there is a chance than someone else has and we should stop that wrongness. We know you've done nothing wrong so when we do look into you we won't find anything, but those people who have done wrong things they won't want us looking but you're not one of them, are you?

It's very easy to use the "won't you think of the children?" argument to justify just about any action, but that doesn't make it right or legal. In this case it's the FBI, they are a civilian organization and should be subject to the same laws as everyone else but in this (and possibly many other instances) they appear to invoke a variant of the ancient rule - It's not cheating if you don't get caught.

Please don't misconstrue my question.

If you have no answer to my question, then please don't anawer via editorializing my alledged POV.

Thank you. :)

[mia h]

Please don't misconstrue my question.

If you have no answer to my question, then please don't anawer via editorializing my alledged POV.

Thank you. :)

And what POV is it that I'm supposedly alledging?

[Shjade]

And what POV is it that I'm supposedly alledging?

Neysha never asked, "Won't you think of the children?"

I suspect your restatement of that bit wasn't intended to suggest Neysha was using that justification as part of her inquiry and thus miscommunication occurred. Just a guess, though.

[Neysha]

I'm just wondering if there are any practical alternative law enforcement procedures or operations to deal with any possible criminal activity that utilizes these hidden servers.

[Cyrano Johnson]

It's a fair question.

[Callie Del Noire]

Okay.. think on it like this.

If you leave 'backdoors' in the standards of security in the foundation that internet commucation and commerce works on. How long will it be before someone who isn't a Fed uses it? Come on.. you put a weak point in structure.. it is going to be found. We have websites that do nothing but deconstruct hardware, software and protocols.

What might require computation that only BIG companies and government today will not always require them tomorrow. Moore's law makes that pretty much inevitable, assuming someone doesn't find a way to do it easier, faster and with less.

Fun note. When I made my first MP3 back in '94ish. It took me an hour to pull the audio out of a CD, then 20 minutes to encode it. Today I made a song into an mp3 in like 3 seconds.

[mia h]

Callie,
there are a few problems with that line of reasoning, and although it has nothing to the reasoning someone managed to disprove Moore's Law a couple of years ago something to do with the physical limits of silicon. The first question is did the FBI do something illegal? And they've pretty much admitted that they did. The follow up question is was there an alternative? The answer should be. Who cares? If there was a legal alternative and they didn't use it, then the FBI did something that was illegal. However if there wasn't a legal alternative and the FBI did what it admitted then the FBI still did something that is illegal. So any alternatives or lack thereof are a complete irrelevance.

Of course It's easy use straw man arguments to justify these types of actions "We're doing this to protect you from terrorists\Mussolini's ghost\dancing chickens\whatever else scares you" but using unpopularity of certain elements of society as a pretext for doing whatever they wanted is how all the best dictatorships got started or as Benjamin Franklin put it:

They that can give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety


Neysha,
I'm still waiting for an answer.

[Neysha]

Irrelevant to the alleged violation of civil liberties yes, but it's still a valid question to ask in general and I will, because this thread is as good as any to bring it up since the topic is relevant in subject matter to my question.

And since you keep bringing it up (as some sort of strawman when I've done nothing to promote the FBI's handling of this situation) I will ask it again:

I'm just wondering if there are any practical alternative law enforcement procedures or operations to deal with any possible criminal activity that utilizes these hidden servers.

Does ANYONE have an actual answer? If you DON'T have an answer either way, please don't respond to my question.

Thank you. :)

[Kythia]

This might be quite a naïve answer because, in all honesty, I'm not sure I understand what a "hidden server" is.  But why does that matter (that it's hidden I mean).

So, the FBI discover a massive stash of kiddie porn on my computer, and equally hypothetically I'm somewhere the FBI have jurisdiction.  Obviously I can be prosecuted without servers or wherever that shizzles hosted coming in to it at all.  But understandably the FBI want to take it down, make it unavailable.  Well, they have my computer.  Surely even if the server is hidden my computer knows how to find it?  Otherwise, well, how is it finding it? 

As I say, I don't understand the technical aspects so I may well be being stupid there.

[gaggedLouise]

This might be quite a naïve answer because, in all honesty, I'm not sure I understand what a "hidden server" is.  But why does that matter (that it's hidden I mean).

So, the FBI discover a massive stash of kiddie porn on my computer, and equally hypothetically I'm somewhere the FBI have jurisdiction.  Obviously I can be prosecuted without servers or wherever that shizzles hosted coming in to it at all.  But understandably the FBI want to take it down, make it unavailable.  Well, they have my computer.  Surely even if the server is hidden my computer knows how to find it?  Otherwise, well, how is it finding it? 

As I say, I don't understand the technical aspects so I may well be being stupid there.

I admit I'm not getting what "hidden servers" means either. Servers hosted on a machine that's hidden by a router or gateway that makes it "stealth" for most inbound traffic? Or is it the well-known trick of planting a trojan on some ordinary machine, opening up a backdoor for loading lots of kid porn and the like into that machine and then opening up to lots of other, anonymous users? Or just that the files and folders are listed under vanilla-sounding, innocent names?

[mia h]

Kythia, if you look at what Marques was charged with it wasn't possessing child-porn but facilitating access to it. So using a bit of educated guess work, if you look at what happened with The Pirate Bay they weren't found guilty of breaching copyright but of facilitating breaches of copyright, TPB didn't and doesn't hold copies of the movies etc that are torrented but hold links to other people that do. So it would appear that Freedom Hosting is acting like TPB of child-porn.
Best guess is that they are using a combination of TOR anonimisers and magnet links to hide the source of whatever it is that is being shared.
Now because of what the FBI was doing in hacking the browser they weren't going after the owners of the hidden servers but after the people that were accessing the sites.

[Neysha]

I'm technically illiterate but frombwhat i've read, Tor's main intention and purpose was to be used to shirld human and civil rights groups from unsavory authority types and sadly has been repurposed to a degree by child pornographers and other criminal behavior and operations.

But even beyond Tor I'm sure there are many ways to hide or obscure ones identity on the internet. I'm curious if there are any alternative law enforcement techniques that can be utilized whether specifically against criminals using Tor or to broaden the conversation, against other methods of 'hiding' in cyberspace.

[mia h]

And what POV is it that I'm supposedly alledging?

Well I suppose there is half an answer of sorts

And since you keep bringing it up (as some sort of strawman when I've done nothing to promote the FBI's handling of this situation) 

But could point to exactly where in any of my posts I wrote that you supported the FBI?
If you can't support the allegation that I'm deciding what your opinion is you should apologise.

And I don't care how "polite" it is, where do you get the nerve to tell people what they can and can't respond to?

[Callie Del Noire]

I admit I'm not getting what "hidden servers" means either. Servers hosted on a machine that's hidden by a router or gateway that makes it "stealth" for most inbound traffic? Or is it the well-known trick of planting a trojan on some ordinary machine, opening up a backdoor for loading lots of kid porn and the like into that machine and then opening up to lots of other, anonymous users? Or just that the files and folders are listed under vanilla-sounding, innocent names?

Here is what is a TOR server/router about.

http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29

Ironically this is the same sort of thing that the government relies on for their own operations. You have to have secure/discrete communication systems for some government operations.

Undermining the systems that operate on the internet can do far more harm than putting in 'easy access' to a TOR system or even more frightening a cryptographic standard. By putting in backdoor systems into software and hardware you leave it vulnerable. Today it might be the US government, but when you have people handling the software and systems.. how long till a Snowden or Manning drops a system build on the internet or sells it to a company or country?

TOR systems are by their nature 'grey' at the very least. I've used one to check out Silk Road.. what you find there is a very different world from the world of Ebay, Facebook and even Eilliquy. The problem is it's a stone in the path. Today it's 'back doors in grey/black software' then you have the NSA engineering back doors into the encryption routines that we use for all manners of things.

Today the government says it's only in the 'pursuit of enemies of the state' that they use such things. Question is.. who defines that term?  Today it's a racially profiled group of people who just happen to follow the faith of Islam.

Fifty years ago it was a man of faith from Birmingham, Alabama. (Martin Luther King Jr.).

With the amount of data and information one can get on a person online and via their electronic signature, the ability to follow/track/invade a person's privacy with minimal effort and time. Luckily warrantless GPS tracking (and a murkily defined group of things) were recently tossed out of a federal appeals court AND legislation was introduced to counter it as well. (http://news.cnet.com/8301-1009_3-57575796-83/lawmakers-introduce-bill-on-warrantless-gps-tracking/)

Today there are more ways, and more coming, that shrink the world. My issue isn't with the pursuit of perverts and terrorists but the methods being used have minimal oversight and even less regulation on it's use. Technology is rapidly advancing. The time between concept and implementation is radically shrinking. Edward Snowden stated there was little to no oversight or control on how the tools he utilized were used.
A lot of folks forget the State Department employee who tracked presidential candidates' passports in 2008

Back to the issue on hand..

Care to explain how a TOR service based who knows where falls within the jurisdiction of the Federal DOMESTIC Law enforcement agency? The guy the FBI are trying to extradite is in Ireland. Where is the crime? Is it at the point of access by the end user or the content provider. I know that might be a scary thought for internet entities, do you want to be held legally responsible to any of HUNDREDS of jurisdictions? 

How does engineering exploits into the foundation of a phenomenally LARGE part of our world economy isn't a dangerous move?

Because of there will always be a class between the rights of the individual and the needs of the government. We are losing our equilibrium in the process.

I'm technically illiterate but frombwhat i've read, Tor's main intention and purpose was to be used to shirld human and civil rights groups from unsavory authority types and sadly has been repurposed to a degree by child pornographers and other criminal behavior and operations.

But even beyond Tor I'm sure there are many ways to hide or obscure ones identity on the internet. I'm curious if there are any alternative law enforcement techniques that can be utilized whether specifically against criminals using Tor or to broaden the conversation, against other methods of 'hiding' in cyberspace.

Can TOR systems be used for things like civil rights movements within countries like Iran, Syria or Egypt (just to name a few) where massive media suppression and surveillance is common place? Yes. And to some extent it is. It is also the 'shadownet' where warez sites, illegal item sites like Silk Road live and even where kiddie porn rings hide.

The big thing.. the FBI already KNEW that Freedom Hosting had kiddie porn on it. It had been reported by LOTS of folks.

[Neysha]

So how will it be solved? Would greater judicial oversight from the Courts be preferable and actually pursuing warrants before incestigation be enough?

[Callie Del Noire]

So how will it be solved? Would greater judicial oversight from the Courts be preferable and actually pursuing warrants before investigation be enough?

That's the problem.

We are seeing technology advance faster than the consideration of impact. We have a legislative branch that is increasingly mired in contention. To the point this last congress has been the LEAST productive in decades. It's a process that worked good in the past but today our congressional committees need to be a lot more responsive to tech advances and considerate what the law can do to technology and with it.

There are very powerful tools that law enforcement needs but like the military they need Rules of Engagement. The agencies in question might not be the best point to set the rules and let's be honest oversight on a congressional level is a bit slow.

I would suggest a nonpartisan group might be suitable for the 'in the interim' consideration of law enforcement tactics but let's be honest.. today 'non-partisan' is a bad word in DC.

We had a closed committee set up for intelligence actions when it became needed to do it.

[AmberStarfire]

That's disturbing and I'd like to say it's unexpected, but Tor seems too 'big and shiny' a target for the US government to let slip. Some people are using it for bad things, after all - it's a known fact, but a lot of people are using it because they don't like anyone prying in their 'stuffs'.

I was giving thought to changing over to Tor recently, but you don't know who's operating the nodes, and the US government is providing some funding for the Tor network. Anyone who operates an exit node is at pretty big risk, because that's where users' transmitted content becomes visible, and whoever is operating those nodes can (and in some cases has been) prosecuted for content passing through. A lot of people just use Tor for their regular browsing, but a lot of torrent data as well as things people want hidden go through Tor. My understanding is it changes your IP address to that of an exit node, so if you were to access certain sites through it, you might run into problems because the exit nodes are known IP addresses and some sites will block them.

It's really the desire for privacy and security that made Tor appeal to me, but I couldn't bring myself to trust it. It doesn't FEEL secure with all that's going on, and this article only reinforces that. After what happened with Lavabit and other sites, I'm not surprised this was done.

[Tairis]

In essence there is no such thing as a hidden server. Only a server that's location is obscured to the point that it can't be positively identified who it belongs to... and even that can be gotten around.

The real issue is more of a slippery slope argument. FBI will counter with 'but child porn'! And anybody that argues against it, no matter how well, is going to be just a little tainted because even without saying it they can imply 'well look, these guys are clearly defending child porn'.

The question becomes do you trust the government to know when its okay to break their own rules? Because I sure as hell don't.

[Cheka Man]

Child porn is evil but so is a too-powerful government.

[ladia2287]

This is rather disconcerting. There are already so many security issues we have to be aware of in our day-to-day browsing. In this case the FBI has justified their hacking by claiming that the server was being used to distribute an illegal and grossly immoral product, but it's a fine line between justifiable cause and non-justifiable cause. My concern is that this could set a precedent for other breaches of a basic right of privacy. What happened to there being a strict protocol to follow in situations like this?

[Tharic]

If you think the FBI (or more appropriately the NSA) isn't capable of strolling through Tor, you're grossly underestimating our cyber technology and knowledge. This is PUBLIC information what the FBI has done. It wouldn't be public if the government wasn't willing to let it be public. It's known that the NSA can pop the encrypto keys that Tor uses. If that's known publicly, imagine what's not revealed and happening in some white room lab.

As a long-time Tor user, Tor is NOT something that's secure and safe. If you're walking into Tor thinking you're doing something that's "safe", you're going in with the wrong intentions.

It's no different than walking into a dark alley in a big city and thinking that you're doing something "safe". You need to approach anything and everything you do on Tor the same way. With as much caution and care as you can. Just don't make the assumption that anything on Tor, silk road, dealing with BTC or anything else is safe or 100% secure.

Do everything you can to cover your own ass. Even if you're just firing up Tor to go "oh, what's this all about". If you aren't doing it as encrypted and obfuscated as you can possibly do, you're doing it wrong. If you don't know what I'm talking about, unfortunately, you probably don't have much business diving into Tor.

Don't take this the wrong way, because it's for your own personal good and protection. Tor is a dangerous, scary place.

This way be dragons..

[Callie Del Noire]

My issue is this Tharic, if  you can put 'back doors' in Tor software, what is to stop using the SAME justifications for all browsers, email programs, firewalls, even the OS any computer works on. And once that is done, the foundation of trust that all this house of cards called the internet works on. From there, we wind up with a balkanized internet that isn't stable, unified or even half as 'safe' as the one we have now.

[Tharic]

My issue is this Tharic, if  you can put 'back doors' in Tor software, what is to stop using the SAME justifications for all browsers, email programs, firewalls, even the OS any computer works on. And once that is done, the foundation of trust that all this house of cards called the internet works on. From there, we wind up with a balkanized internet that isn't stable, unified or even half as 'safe' as the one we have now.

There's not much need to put 'back doors' into the browsers or email programs we use. The majority of traffic transmitted via the Internet using most browsers and email programs is 100% unencrypted. It's plain text. I could drop a wifi laptop next to most office buildings, be on their network in about 5 minutes an gobbling up unencrypted data with an easy linux app such as tcpdump or wireshark or ettercap.

That's not even getting into the concept of having IXP level access, like the government does. (and don't believe the NSA doesn't have access to core IXP's) I mean, look at the southeast US. You've got an IXP in Miami, Tampa and Atlanta. Everything else is going to route through one of those IXPs. Even Miami and Tampa route up to Atlanta to get "anywhere"  You sit on a core IXP like Atlanta and you've got access to every drop of traffic flowing out of the southeast of the united states.

If you believe the Internet is safe, you're sadly mistaken.

(And yes, this is what I do for a living. I'm working towards my CISSP certification.)

[Callie Del Noire]

There's not much need to put 'back doors' into the browsers or email programs we use. The majority of traffic transmitted via the Internet using most browsers and email programs is 100% unencrypted. It's plain text. I could drop a wifi laptop next to most office buildings, be on their network in about 5 minutes an gobbling up unencrypted data with an easy linux app such as tcpdump or wireshark or ettercap.

That's not even getting into the concept of having IXP level access, like the government does. (and don't believe the NSA doesn't have access to core IXP's) I mean, look at the southeast US. You've got an IXP in Miami, Tampa and Atlanta. Everything else is going to route through one of those IXPs. Even Miami and Tampa route up to Atlanta to get "anywhere"  You sit on a core IXP like Atlanta and you've got access to every drop of traffic flowing out of the southeast of the united states.

If you believe the Internet is safe, you're sadly mistaken.

(And yes, this is what I do for a living. I'm working towards my CISSP certification.)

Thing is, and I am aware of the vulnerabilities as well, is you don't violate your own laws to find wrongdoing. It is bad practices. It's stupid. It undercuts the process, public trust and the stability of the system. If you work in the field, you would agree that engineered vulnerabilities are dangerous as they never STAY secret right? Eventually, someone in the 'wild' will find them right?

That's my issue. We are undermining our own system by endorsing back doors. For god sakes, the NSA purposely put in a hack into an encryption standard.  How can that not be dangerous if leaked ?

[ladia2287]

If you think the FBI (or more appropriately the NSA) isn't capable of strolling through Tor, you're grossly underestimating our cyber technology and knowledge. This is PUBLIC information what the FBI has done. It wouldn't be public if the government wasn't willing to let it be public. It's known that the NSA can pop the encrypto keys that Tor uses. If that's known publicly, imagine what's not revealed and happening in some white room lab.

As a long-time Tor user, Tor is NOT something that's secure and safe. If you're walking into Tor thinking you're doing something that's "safe", you're going in with the wrong intentions.

It's no different than walking into a dark alley in a big city and thinking that you're doing something "safe". You need to approach anything and everything you do on Tor the same way. With as much caution and care as you can. Just don't make the assumption that anything on Tor, silk road, dealing with BTC or anything else is safe or 100% secure.

Do everything you can to cover your own ass. Even if you're just firing up Tor to go "oh, what's this all about". If you aren't doing it as encrypted and obfuscated as you can possibly do, you're doing it wrong. If you don't know what I'm talking about, unfortunately, you probably don't have much business diving into Tor.

Don't take this the wrong way, because it's for your own personal good and protection. Tor is a dangerous, scary place.

This way be dragons..

Anyone is capable of hacking into any system, no matter how 'secure' it is. That's why anyone who is smart with their internet access installs firewalls, anti-virus software and takes other security measures. What worries me is the ethics behind the actions of a government-sanctioned investigative body. There may be loopholes in the US law that allows this to happen, I don't know as I don't live there. But I can imagine the stink it would create if my country's equivalent body were caught doing the same thing. I don't believe it is ever okay to invade someone's privacy without their consent and in my opinion this is no better than breaking into someone's home, leaving a few hidden microphones lying around and listening in on everything that happens. Regardless of how it is justified, it is just plain unethical.

[AmberStarfire]

Very little seems to be reliably secure anymore. It's disturbing to see just how much information companies like Google gather about you, and with the advent of social networking and sites like LinkedIn, it's very easy to put a lot of private information out there. Once you do that, it's there. You can take it down, but you can't be sure it's ever truly gone. It only takes a look at the Wayback machine to find something from 10 years ago and removed might still be lurking about.

There need to be more secure options that aren't clunky or complicated (requiring personal keys etc). That is what I was hoping Tor would be - I'm not interested in their onion sites. What I want is a bit of added privacy or anonymity without a slew of information being gathered about me in the process. If you want a web site to work nowadays, to be found and recognised by people, you don't forego Google. They're too popular, but I'll admit I'm so close to ditching Google, Gmail, Yahoo and similar altogether, and trying to find a more private option. The only thing is, for normal everyday people, I'm not sure one actually exists. Tor was a hope, but the FBI got around that with quite a bit of ease. Is email any more secure if it's on your own hosting account, but hosted on American servers?

[AmberStarfire]

An interesting story that's connected:

http://www.news.com.au/technology/us-authorities-shut-down-alleged-silk-road-black-market-charge-accused-mastermind-ross-william-ulbrich/story-e6frfro0-1226731942871

[Callie Del Noire]

An interesting story that's connected:

http://www.news.com.au/technology/us-authorities-shut-down-alleged-silk-road-black-market-charge-accused-mastermind-ross-william-ulbrich/story-e6frfro0-1226731942871

I figured sooner or later this would happen. One of the issues you have to deal with using an alias.. is you ALWAYS have to use it. For everything. You slip up..someone will hear/read it..from there it is a simple step to work through data to find it out. The more you post/chat online..the easier it gets over time.

[Chris Brady]

Thing is, and I am aware of the vulnerabilities as well, is you don't violate your own laws to find wrongdoing. It is bad practices. It's stupid. It undercuts the process, public trust and the stability of the system. If you work in the field, you would agree that engineered vulnerabilities are dangerous as they never STAY secret right? Eventually, someone in the 'wild' will find them right?

That's my issue. We are undermining our own system by endorsing back doors. For god sakes, the NSA purposely put in a hack into an encryption standard.  How can that not be dangerous if leaked ?

Why is this surprising, though?  Governments have been doing this for as long as they've been around.

The sad part of this is, it's that this is nothing new.  We all get upset about it, we all feel violated, but at the end of the day, no one can do anything about it, because if, as someone pointed out, you fight against it, they just point out you're defending criminals.  The ends ALWAYS justify the means.

It's a sick, sad truth.

[Callie Del Noire]

Why is this surprising, though?  Governments have been doing this for as long as they've been around.

The sad part of this is, it's that this is nothing new.  We all get upset about it, we all feel violated, but at the end of the day, no one can do anything about it, because if, as someone pointed out, you fight against it, they just point out you're defending criminals.  The ends ALWAYS justify the means.

It's a sick, sad truth.

Thing is.. it's dangerous. You're literally pulling 'bricks' out of the foundation. It undermines the foundation of your case. I know a few former DAs (like my brother) who wince when they hear things like this. This was a dangerous tactic. Granted it might pay off in the initial case but you are almost definitely assured of a massive appeal with LOTS of groups who would otherwise wouldn't get involved.

-Civil Liberties groups
-Right to Privacy groups like the EFF.

Oh yeah.. definitely going to be messy in the follow up.

[doodasaurus]

An interesting story that's connected:

http://www.news.com.au/technology/us-authorities-shut-down-alleged-silk-road-black-market-charge-accused-mastermind-ross-william-ulbrich/story-e6frfro0-1226731942871

I've been following this story quite closely and it increasingly looks like the TOR hack has nothing to do with it.  In particular, the Silk Road guy was getting sloppy and cocky.  I BELIEVE that what lead to his arrest was really that Ulbrich hired an undercover cop to kill a former business partner who stole from Silk Road, thought here was a growing body of evidence pointing to Ulbrich that had nothing to do with the TOR system.  Like . . . he left his URL in SR code, he had an SR account linked to a Gmail address, they captured some documentation crossing the US/Canadian border that was linked to the SR account liked to the Gmail address, stuff like that.  So far, there has been nothing to indicate that Ulbrich got picked up because of the federal TOR hack and he got caught in very traditional police work.

I also think there's some circumstantial evidence to suggest that Ulbrich was caught by traditional police methods.  In particular, if possible, the FBI would have tried to simultaneously arrest Silk Road's biggest suppliers.  That they didn't, that they arrested this one lone man, suggests to me that they did not successfully infiltrate SR electronically, otherwise I think they would have cast a much bigger net.  I admit that's circumstantial, though, but consistent with the way the FBI likes to arrest racketeers - you take as many as you can all at once to lessen flight.

But I could also be 100% wrong.  ;D

[AmberStarfire]

I'm inclined to agree with you for the most part, Doodasaurus. I've been following the story as well, and it seems that Mr Dread Pirate Roberts made some blunders that led to his identity being found out.

Another story was saying he'd revealed his Gmail address on Stack Overflow (which had his real name in it) and that the guy he'd tried to have knocked off was threatening to reveal the identities of SR users. Also, that he'd already bargained to have at least one other person killed.

It's hard to know which details are accurate and which aren't, but it sounds like it was only a matter of time until his house of cards came tumbling down.

I agree with what Callie's saying though. Personally, I'm of the opinion that they may have decided to bring this guy down now because of current public opinion regarding NSA spying. It's one way to show the public that there's a real and tangible result (and a big one at that) for penetrating what was deemed to be a secure network.

If they had the means to do this before (bring the guy down) but didn't.. until now, it could well be a PR exercise. After all, they had every ability to use the site before to find people out (who's distributing these things). Maybe they can still track things from IP addresses, emails and so forth, but they just compromised their use of the site to catch its owner. But then once they have him, they likely have full access to the site and its records too.

[Callie Del Noire]

I find it very hard to think that anyone that has any thoughts of their own and a willingness to post them online WON'T give away hints to knowledgeable and patient people. Your syntax and sentence structure stands out, I've caught one DM who was mining RPOL for NPCS by putting adds up for games. You have interests you comment on? THose can catch you out. Mr. DPR had an interest in one unusual school of economics. Things like what you do, where you live, which poitics and so on can point you out.

It basically came down to enough data to build a set of points that led back to their suspect.

[AmberStarfire]

In what way was he was mining for NPCs?

I'm inclined to agree - those points add up. It's so easy to put a lot of data out there on the internet, what with social networking, forums, etc.

[Callie Del Noire]

In what way was he was mining for NPCs?

I'm inclined to agree - those points add up. It's so easy to put a lot of data out there on the internet, what with social networking, forums, etc.

He was taking the characters and 'suddenly' the same stats, skills, and gear would show up on a game on another game board.

[Chris Brady]

Thing is.. it's dangerous. You're literally pulling 'bricks' out of the foundation. It undermines the foundation of your case. I know a few former DAs (like my brother) who wince when they hear things like this. This was a dangerous tactic. Granted it might pay off in the initial case but you are almost definitely assured of a massive appeal with LOTS of groups who would otherwise wouldn't get involved.

-Civil Liberties groups
-Right to Privacy groups like the EFF.

Oh yeah.. definitely going to be messy in the follow up.

I'm not going to argue with this, because you're VERY right.  It does undermine the foundation of more than just a case, it undermines the entire point of civilization.

Thing is, it happens more often than we want to admit, or are ever allowed to see.  And a lot of the time, we can't fight it because it was used to do some 'good'.  The fact of the matter, a site that allowed child porn to proliferate has been shut down.  This is the end result.  How they got there, no longer matters, because the amount of good done will outweigh anything anyone else will say, because child porn is a such a hot button topic (and rightly so.)

[Oniya]

So, Avast is hyping their latest product - a Virtual Private Network thing, and the ad for today was 'Protect your information from snoops and hackers!'  Then, in smaller letters: 'Yeah, we're thinking of Mr. Snowden's former employer, too.'

[Braioch]

I also find it odd, that despite the myriad of other things on the TOR services, assassinations, drug trafficking, counterfeiting, etc, that this is what they go for...

Well I suppose it does look really really good in the papers. >,>

[Callie Del Noire]

I also find it odd, that despite the myriad of other things on the TOR services, assassinations, drug trafficking, counterfeiting, etc, that this is what they go for...

Well I suppose it does look really really good in the papers. >,>

Not to mention it was something the FBI works hard on.. the Kiddie Porn underground.. the other stuff is not as easy to track.

[Light Ice]

That this horrible material is being hosted on obfuscated servers isn't really the issue; how would you feel if every conversation, every email, every phone call you made was being monitored? Not because you have done anything wrong but because there is a chance than someone else has and we should stop that wrongness. We know you've done nothing wrong so when we do look into you we won't find anything, but those people who have done wrong things they won't want us looking but you're not one of them, are you?

It's very easy to use the "won't you think of the children?" argument to justify just about any action, but that doesn't make it right or legal. In this case it's the FBI, they are a civilian organization and should be subject to the same laws as everyone else but in this (and possibly many other instances) they appear to invoke a variant of the ancient rule - It's not cheating if you don't get caught.

It's important to make it clear that you've already given various entities consent to sift through your personal information.  Every major OS, every major web browser, every major account you have ever signed up for has a TOS.  That TOS allows them to review any and all content you view.  This is aggregated into tables and categorized for many purposes.  Advertising, mainly, but others as well. 

So, before you kill the government for going through your computer, you should reconsider where your arguments lie.  Google knows a great deal more about you then the government does.  The reason being, obviously, you've given them permission to.

[Valthazar]

It's important to make it clear that you've already given various entities consent to sift through your personal information.  Every major OS, every major web browser, every major account you have ever signed up for has a TOS.  That TOS allows them to review any and all content you view.  This is aggregated into tables and categorized for many purposes.  Advertising, mainly, but others as well. 

So, before you kill the government for going through your computer, you should reconsider where your arguments lie.  Google knows a great deal more about you then the government does.  The reason being, obviously, you've given them permission to.

This is an excellent point, but none of us agreed to a contract letting us know the government would have access to this data. 

If you read those TOS, you'll see explanations for when information can be disseminated to third parties (such as in criminal investigations, certain marketing purposes, etc).  As it stands, Google and many of these other companies claim they were not aware that government had access to their servers, but if they did, many clauses in their TOS have been violated - unless they protected themselves in the contract through broad/vague wording.

[Light Ice]

This is an excellent point, but none of us agreed to a contract letting us know the government would have access to this data. 

If you read those TOS, you'll see explanations for when information can be disseminated to third parties (such as in criminal investigations, certain marketing purposes, etc).  As it stands, Google and many of these other companies claim they were not aware that government had access to their servers, but if they did, many clauses in their TOS have been violated - unless they protected themselves in the contract through broad/vague wording.

The latter is true.  Google, and others, are very well aware that their data is mined by many different organizations.  Governments, really, being the least of which.  Now, granted, your data is safer on Google than it is on your employer's servers (where you log into facebook and other things throughout the day) because Google has a vested interest in keeping your information safe.

There's a few giant, smoking loopholes present in the law (what little there currently is) when it comes to accessing data.  It's really a place where we are terribly behind the curve and consumer/congressional education is so poor in the subject that there simply isn't a solid enough understanding of the digital world to intelligently inform policy makers.

And other questions abound.  One that nobody seems to have brought up is the great halo of "probably cause" when it comes to law enforcement in the US.  Under that little caveat; law enforcement would have a right to that data if they have reason to believe a crime is being committed.  I think they have reason enough when it comes to DeepNet and pornography.  We can at least agree on that little thought, right?

The trouble is that as an IT Professional - I don't understand or even believe people that claim outrage here.  Almost everyone I know is so willy-nilly about what TOS they are signing and what website they're logging into (with same account names and passwords and emails and locations) that I can't take it seriously when people start complaining that Big Brother is watching us.

Hell, it's been legal for the government to watch us for the better part of ten years.  Back then, though, everyone agreed it was in our best interests.  Now that the law got pushed on through and we're starting to learn just what exactly we agreed to - everyone is upset.

Nobody, ever, reads the fine print.

I guess, to be clear, my point is that you shouldn't care because you've already been scouted so intensely that you couldn't imagine what people know about you.  There's a pretty famous case of a woman getting an email from Amazon congratulating her on her new baby (before she knew she was pregnant) because the data from her purchases put her in an expectant mom's ad bracket.

The point is - you've given up all of your privacy already to so many different organizations why is it the government getting in on the fun suddenly concerns you?

[Valthazar]

I guess, to be clear, my point is that you shouldn't care because you've already been scouted so intensely that you couldn't imagine what people know about you.  There's a pretty famous case of a woman getting an email from Amazon congratulating her on her new baby (before she knew she was pregnant) because the data from her purchases put her in an expectant mom's ad bracket.

The point is - you've given up all of your privacy already to so many different organizations why is it the government getting in on the fun suddenly concerns you?

I fully agree with this, and I have no issues with search warrants being issued after probable cause is determined.

However, I am concerned about violations of the 4th amendment - which is unique to the role of government.  The fact that the DOJ is able to access our electronic transmissions without a search warrant shows how far behind the times Congress is, as you said, in addition to their total negligence of our Constitutional rights.

http://news.cnet.com/8301-13578_3-57583395-38/doj-we-dont-need-warrants-for-e-mail-facebook-chats/

You're right in comparing the personal implications of the information Google has, to the information the government potentially has.  But you cannot compare the two as being one and the same from a Constitutional or even legal perspective.

[Light Ice]

You're right in comparing the personal implications of the information Google has, to the information the government potentially has.  But you cannot compare the two as being one and the same from a Constitutional or even legal perspective.

That's a fair statement and one that I can agree with.  Still, and maybe as an IT Professional I'm jaded.  I've read hundreds of personal emails from employees in the last several years.  I've entered their private accounts.  Outrageous, some say, but when you take employment at many companies some of the fine print on your agreement with them allows them to enter into whatever you do on their time.  If you log into your Facebook on company time, on a company network, chances are their IT Department has hijacked a session you didn't log-out from and browsed around.

We are encouraged, sometimes told, to do this.

So, knowing that Google knows your work schedule, purchasing habits, credit history, bank of choice, meal of choice, TV show of choice, movie of choice, and your work knows all of these things as well - Is there a practical way to keep the government from taking the same liberties?

I guess.  But you'd have to read the fine print on a lot of bills and laws, do a lot of hard work both via voting and activism, and change mechanisms that have been in-place for the better part of the last decade.

I -do- see the principle and agree with it.  But, being a realist in the profession, I cannot see it changing and think energies could be better spent elsewhere.

[Callie Del Noire]

My issue is this..

If I put a document in a folder and put it in safe/filing cabinet/desk drawer, they need a warrant to get to it. If I had the same document on dropbox, an email, voice mail or on my frigging locked cell phone.. it's the same material and is still as privileged. If I was to take documents with the same impunity the feds assert they can do without due process.. and acted on those things.. they could LOCK ME up.

If it's illegal for me.. it should be illegal for the cops. No double standard.

Electronic data is the same content .. you can't open a persons snail mail without due process.. why should an email be any less private?

[Light Ice]

My issue is this..

If I put a document in a folder and put it in safe/filing cabinet/desk drawer, they need a warrant to get to it. If I had the same document on dropbox, an email, voice mail or on my frigging locked cell phone.. it's the same material and is still as privileged. If I was to take documents with the same impunity the feds assert they can do without due process.. and acted on those things.. they could LOCK ME up.

If it's illegal for me.. it should be illegal for the cops. No double standard.

Electronic data is the same content .. you can't open a persons snail mail without due process.. why should an email be any less private?

Sure, again, I agree with the principle.  There's a lot of issues at play, like I said, regarding probable cause and what you've agreed to via laws signed into place and the TOS you've agreed to.  Many companies even state they openly share all information with the authorities on request (not just subpoena), so there's a lot of that as well.  It's more convoluted then "Hey, it's mine so it's mine."

Because when it comes to data it almost never is -yours-. 

[Valthazar]

Sure, again, I agree with the principle.  There's a lot of issues at play, like I said, regarding probable cause and what you've agreed to via laws signed into place and the TOS you've agreed to.  Many companies even state they openly share all information with the authorities on request (not just subpoena), so there's a lot of that as well.  It's more convoluted then "Hey, it's mine so it's mine."

Because when it comes to data it almost never is -yours-.

You make a good point about negligence on the part of individuals.

Many people see no issue in the fact that instant messaging programs save chatlogs - even if only locally on the person's computer.  I remember when GChat or AIM first came about, it gave a notification to the other person in the chat, that the chat was being logged.  I think once companies realized no one cares, they stopped even putting these warnings.

This is no different from telephone conversations being recorded.  There are 12 states in the US that require both parties in a phone call to be informed that a recording is taking place.  Understandably, most of us would get a little reluctant if we knew a call was being recorded, but perhaps we don't feel the same way for an IM conversation being logged.

[Light Ice]

You make a good point about negligence on the part of individuals.

Many people see no issue in the fact that instant messaging programs save chatlogs - even if only locally on the person's computer.  I remember when GChat or AIM first came about, it gave a notification to the other person in the chat, that the chat was being logged.  I think once companies realized no one cares, they stopped even putting these warnings.

This is no different from telephone conversations being recorded.  There are 12 states in the US that require both parties in a phone call to be informed that a recording is taking place.  Understandably, most of us would get a little reluctant if we knew a call was being recorded, but perhaps we don't feel the same way for an IM conversation being logged.

Yeah, this is all extremely well said.  There is a terrible complacency on the part of consumers here when it comes to digital information.  I think, perception wise, people believe some things about their chats, emails, and personal information that isn't actually true in the digital world.  I think people believe that all of those things are as private online as they are in real life.  They say, it has to do with me so obviously it's mine.

But the truth couldn't be further from that scenario. 

Anything you divulge or volunteer on web services typically ends up in the ownership of the provider.  Most providers sell that information to other companies for the purpose of advertising.  Others simply categorize it themselves.  But, regardless, the information itself belongs to them.  They have a legal ownership of it that you signed away when you agreed to use the service.

That makes legislation very difficult.  Consumers are going to have to change their behaviors and complacency if any law protecting their information is going to be pushed forward.

[Neysha]

This is an excellent point, but none of us agreed to a contract letting us know the government would have access to this data. 

If you read those TOS, you'll see explanations for when information can be disseminated to third parties (such as in criminal investigations, certain marketing purposes, etc).  As it stands, Google and many of these other companies claim they were not aware that government had access to their servers, but if they did, many clauses in their TOS have been violated - unless they protected themselves in the contract through broad/vague wording.

I've always wondered about the excessive verbiage of TOS and similiar cover your ass type of documentation. I've heard... solely through word of mouth, that some TOS or other legal agreements of that nature aren't nearly as enforceable as believed. I'm sure it depends on the service or program or whatever, but... at the risk of further derailing this thread, I'm wondering just how legally binding these TOS agreements are ultimately. Is it really as simple as if you sign it, you must follow everything they state, because if so, it seems like an easy way to engage in abuse since I'm sure 99% of people barely scan such agreements ultimately before agreeing to them. Or is it simply another mechanism to provide some legal cover to the issuer of the TOS, but still far from some sort of legal immunity granting document.

Wow that was a writhing mess of a response.

Yeah, this is all extremely well said.  There is a terrible complacency on the part of consumers here when it comes to digital information.  I think, perception wise, people believe some things about their chats, emails, and personal information that isn't actually true in the digital world.  I think people believe that all of those things are as private online as they are in real life.  They say, it has to do with me so obviously it's mine.

That's an excellent point. I'm definitely one of those complacent types. One can only imagine what would happen to my reputation when they crack open my Elliquiy posting history for example. ;)

Though I am wondering if that Consumer Privacy Bill of Rights concept is going to be applicable to internet usage and privacy and digital rights. I admit I haven't looked into it much.

But could point to exactly where in any of my posts I wrote that you supported the FBI?
If you can't support the allegation that I'm deciding what your opinion is you should apologise.

And I don't care how "polite" it is, where do you get the nerve to tell people what they can and can't respond to?

First off, I will not apologize considering the tone of your response in Post #6 by implying I'm parroting some "Won't you think of the children?" argument when I'm politely asking a fair question. If you wish to intellectually gratify your sensitivity to being disagreed with, go seek some other foil. Nothing you stated in your replies to my questions had anything to do with my question and yet I do not seek succor from you apologizing to me for your intentional ignorance of the very post you were responding to. Furthermore I never told you what you could and couldn't respond too. I merely wished for an answer to my question, which you repeatedly failed to address with your responses directed towards my questions. If you feel it is offensive that I politely ask for my question to be answered by people responding to it, then I will tell you now, I apologize if I offend you, but I will not radically change my behavior so much so as to leave myself open to abuse and misinterpretation without challenge.

[Valthazar]

I've always wondered about the excessive verbiage of TOS and similiar cover your ass type of documentation. I've heard... solely through word of mouth, that some TOS or other legal agreements of that nature aren't nearly as enforceable as believed. I'm sure it depends on the service or program or whatever, but... at the risk of further derailing this thread, I'm wondering just how legally binding these TOS agreements are ultimately. Is it really as simple as if you sign it, you must follow everything they state, because if so, it seems like an easy way to engage in abuse since I'm sure 99% of people barely scan such agreements ultimately before agreeing to them. Or is it simply another mechanism to provide some legal cover to the issuer of the TOS, but still far from some sort of legal immunity granting document.

From what I understand, the enforceability of TOS is based on how reasonably accessible they are to the user, as well as how abundantly clear the terms were made when they first joined.

There was a landmark case called Schnabel v. Trilegiant Corp. where these two people signed up for some paid membership program online, and then when they tried to cancel, they did not receive a full refund as they had assumed.  They took it to court, and Trilegiant (defendant) claimed that they had simply emailed the TOS after the registration, and that the user's continued membership demonstrated their agreement to the TOS.  In the past, this defense would have stood up, but the judge in this case intelligently stated that "shrinkwrap-style" contracts (the kind you see shoved in packages) that are not explicitly provided, may not always stand up in court.

http://www.bna.com/shrinking-relevance-shrinkwrap-b17179869529/

That's why more and more companies now are explicitly showing their TOS right at the beginning of registration, and we need to actually scroll down before the "I agree" button even shows up.  I know a lot of people (including myself at times) just quickly scroll down and click agree, but from what I understand, this particular style of explicit agreement is very much legally binding - unless there is something I am not aware of.

This is also why whenever you update your PS3 or whatever, you have to click 'I agree' each time, to show that you are aware of changes to the TOS.  Same thing with updating your phone apps, and permissions change.

[gaggedLouise]

A wonderfully goofy quote from a senior judge set to handle requests and appeals relating to military intelligence in Sweden (these issues are as vigorously discussed here as in the U.S., and we're actually providing you with substantial data/listening-in on Russian internet traffic - it's always an exchange of services deal). This snippet of a vrief phone interview sounds like something out of Austin Powers:

"I am unable, of course, to comment on what kind of methods the FRA /military intel snoopers/ make use of in order to bring in their information. That's qualified secret stuff, you see, and if I were to talk around it could be a breach of national security. - Ah, one of our secret phones is buzzing right here, so I will have to end this pleasant conversation. Goodbye."

The "secret phone" cue totally does it. :D