A federal judge for the Eastern District of Virginia has ruled that the user of any computer that connects to the Internet should not have an expectation of privacy because computer security is ineffectual at stopping hackers.
"Hacking is much more prevalent now than it was even nine years ago, and the rise of computer hacking via the Internet has changed the public's reasonable expectations of privacy," the judge wrote. "Now, it seems unreasonable to think that a computer connected to the Web is immune from invasion. Indeed, the opposite holds true: In today's digital world, it appears to be a virtual certainty that computers accessing the Internet can—and eventually will—be hacked."
The judge argued that the FBI did not even need the original warrant to use the NIT [Network Investigative technique/Toolkit] against visitors to PlayPen, a hidden service on the Tor network that acted as a hub for child exploitation.
(Score: 1, Informative) by Anonymous Coward on Saturday July 02 2016, @06:49AM
Good thing there are duplicates connected to the internet so we can search through them.
https://soylentnews.org/article.pl?sid=16/06/25/1650257 [soylentnews.org]
Using this as a ploy to get Dice to purchase SN to make up your funding shortfall is provocative, but maybe simple groveling would be more effective?
You can start with TMB saying one nice thing about socialism.
I'm waiting.
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @06:54AM
Conspiracy theory. Yawn.
(Score: 3, Insightful) by MostCynical on Saturday July 02 2016, @08:04AM
First they came for the ACs, but I was not worried, as they rarely added much to the discussion, anyway..
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 3, Insightful) by The Mighty Buzzard on Saturday July 02 2016, @10:32AM
Nothing wrong with socialism as long as it's voluntary. It's just not for me.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @05:50PM
That's the best you can do for "nice"?
Well, for you, I suppose so...
(Score: 5, Insightful) by maxwell demon on Saturday July 02 2016, @06:51AM
In other news, a court decided that houses aren't private, as it is easy to break into a house, as the large number of burglaries demonstrates.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @06:52AM
You were unaware of no-knock search warrants?
Fuckers don't even have to pay for damages.
(Score: 1, Insightful) by Anonymous Coward on Saturday July 02 2016, @07:44AM
If you can't see how this is an even bigger issue, well I've got a list of rights to sell you :)
(Score: 1, Insightful) by Anonymous Coward on Saturday July 02 2016, @07:54AM
And if you are too ignorant history, your bill of rights wouldn't have helped anyway.
Most of this legal reasoning follows from the destruction of evidence arguments that went with the war on drugs. Your right to privacy was kicked-in, literally, once the judiciary decided preserving evidence was more important than you being secure in your effects.
This is that same sensibility applied to the digital domain, with cops being able to kick-in your fire wall in order to gain evidence.
(Score: 2) by The Mighty Buzzard on Saturday July 02 2016, @10:34AM
Being able to try...
My rights don't end where your fear begins.
(Score: 4, Interesting) by butthurt on Saturday July 02 2016, @06:16PM
A lawyer for EPIC has made the argument (although AFAIK it wasn't presented in this particular case) that government-placed malware could violate the Third Amendment:
--https://web.archive.org/web/20131209153222/https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2257078 [archive.org]
an article about it:
https://web.archive.org/web/20130520032527/http://fiercegovernmentit.com/story/third-amendment-constrains-military-cyber-operation-argues-epic-lawyer/2013-05-05 [archive.org]
(Score: 4, Insightful) by davester666 on Saturday July 02 2016, @08:03AM
The judge is saying that since burglars have no problem breaking into houses, it's inevitable that your house will be broken into, therefore, the police can break into your house whenever they want, no warrant is required.
Ergo, I can't think of any place where the police would be required to get a warrant.
(Score: 1, Interesting) by Anonymous Coward on Saturday July 02 2016, @08:14AM
Um, no.
The judge is following arguments that the police can peer through your windows, and what ever is in plain sight becomes probable cause. The window is your internet connection.
It's not like he gets to make such a radical pronouncement without some prior legal standings to fall back on.
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @08:17AM
Um, yes, and you're a fool. The mere fact that someone's security is bad doesn't mean you can break into someone's house, break into someone's computer, etc. If anyone other than law enforcement did this, they would probably go to prison.
If he's relying on precedent, then that precedent was made by judges who also didn't follow the constitution. They are traitors.
(Score: 1, Touché) by Anonymous Coward on Saturday July 02 2016, @08:28AM
"They" didn't break into his computer. "They" had a honeypot and monitored traffic.
But you know what? Fuck it! Declare yourself Superpatriot and get all hot and bothered instead of thinking through the line of reasoning and coming up with a reasonable counterargument.
That's so much better.
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @08:38AM
My counterargument was a reasonable response to abject stupidity.
(Score: 3, Informative) by Anonymous Coward on Saturday July 02 2016, @10:05AM
In the previous story (this is a dupe) with a far more informative article:
https://www.helpnetsecurity.com/2016/06/24/fbi-doesnt-need-warrant-hack/ [helpnetsecurity.com]
The NIT also instructed Matish's and other suspects' computers to send information about the OS running on it, its name, its MAC address, and its active operating system username to the server controlled by the FBI.
Thus they did a lot more than traffic monitoring. The retarded/evil judge himself said it:
“Hacking is much more prevalent now than it was even nine years ago, and the rise of computer hacking via the Internet has changed the public’s reasonable expectations of privacy,” he opined.
Hacking is far closer to "Breaking and Entering" than peering into windows of a house.
(Score: 2, Insightful) by Anonymous Coward on Saturday July 02 2016, @03:27PM
If I read this article, it sounds like the Network Investigation Technique (NIT) does something like this:
1) Perp Attempts to access illegal image on WWW site that is controlled by the FBI with their NIT software installed.
2) NIT sends back some javascript or perhaps tickles a browser bug and instructs the browser to do something in a certain way that reveals public IP address outside of TOR and/or collects other identifying info. I am not sure what the black magic is here, but if it can be done.....
3) IP address and other info is sent back to WWW site where the illegal image resided.
If that is the way it went down, then I have no problem with what the FBI did. You really shouldn't have an expectation of privacy with respect to a WWW server if you are initiating connections to it. That is what privacy policies are all about....in theory any WWW site can put up a privacy policy that says "we will collect and use anything we can if you connect us".
Reading the TFA it doesn't sound like the computer was just sitting there minding its own business when the FBI came breaking in....
You wanna maintain your privacy, don't connect to WWW sites....just because you use TOR doesn't guarantee you a right of privacy.
(Score: 1, Touché) by Anonymous Coward on Saturday July 02 2016, @04:26PM
No, but I would have thought that a person who specifically uses the Tor browser might have an expectation of privacy.
(Score: 1) by kurenai.tsubasa on Saturday July 02 2016, @05:38PM
instructs the browser to do something in a certain way that reveals public IP address outside of TOR
This part is concerning. From a technical standpoint, how are they inspecting the computer's network interfaces, and how should I patch my browser so that it isn't affected? The article mentioned MAC address, which I understand may be used when generating a UUID [wikipedia.org]. I haven't dug into any UUID generation libraries—fairly certain version 1 isn't used widely—, but version 3 and 5 both mention using a DN which may contain the username that article says was retrieved. Version 5 uses SHA-1, which could be brute forced if I'm not mistaken. (Version 3 is MD5 so all bets are off.)
I'm pretty such just about every library hands out version 4 UUIDs. Those wouldn't disclose either MAC address or username/DN.
Here's a discussion about generating version 4 UUIDs in JavaScript. [stackoverflow.com] I'm trying to remember if Flash ActionScript had UUID generation (ugh, can't believe I still have a project written in Flex, made it just a couple years before HTML5 was ready). Looks like mx.utils.UIDUtil [adobe.com] would be the suspect. It generates version 4 UUIDs, but I'm wondering if UIDUtil.getUID(someObject) might return a vulnerable version. Meh, no way I'm bothering with setting up a Flex environment on the home computer to give it a test, will need to wait until Tuesday to see on the work machine.
Anyway, I'd have trouble finding a problem with firing off nmap -A. I would hate to think that this constitutes “hacking.” On the other hand, if Flash is the vulnerability, I guess ¯\_(ツ)_/¯. I still wouldn't tend to think it's hacking unless it's exploiting a browser bug. Wonder if we'll ever know for sure?
(Score: 2) by quintessence on Saturday July 02 2016, @05:48PM
The difficulty here is that the FBI were in control of and distributing child pornography. Big no-no as it wasn't a part of the original operation, as well as questions as to when/why the FBI gets to break the law.
The other part, if i recall correctly, is that the FBI have not revealed how they obtained the IP addresses, so there are questions as to the veracity of the evidence and even who actually accessed the site (see story here [soylentnews.org]with another court ruling that an IP address isn't enough to establish guilt).
Charges have already been dropped in several of the arrests since the FBI didn't attempt to obtain a warrant, so this seems like hail marry to see if the charges will stick.
And after all that, you can have the philosophical argument of police monitoring even though you are in a public space without just cause. It seems the police get very irate when the cameras are turned back on them, even though they are in a public space too.
I doubt the judge would take kindly to people peering into the windows of his house.
(Score: 2) by davester666 on Saturday July 02 2016, @08:32PM
Having to "hack" the destination computer means it's not just looking in. It is more like carefully bumping the lock, or cutting out the window so the owner can't readily tell you opened the door/window to see something you couldn't without doing it.
"looking through a window" would be analogous to what your browser sends without hacking or even if you have file sharing turned on, and your computer is directly attached to the internet and the fbi could log onto your computer WITHOUT needing a user name/password.
(Score: 4, Insightful) by Bot on Saturday July 02 2016, @07:59AM
Yes, if you did not want your house to be broken into, you should have not made it reachable from the street, duh.
Account abandoned.
(Score: 2) by Nerdfest on Saturday July 02 2016, @02:55PM
So much for "stealing military or state secrets" then.
(Score: 2) by digitalaudiorock on Saturday July 02 2016, @01:38PM
Exactly, because after all you can "see" the front door right? I saw this story a while ago:
https://www.helpnetsecurity.com/2016/06/24/fbi-doesnt-need-warrant-hack/ [helpnetsecurity.com]
I was talking to lawyer friend about this one. He thinks there's almost no question at all this insane ruling will be appealed and reversed by a circuit count. So in the long run it will just set a precedent preventing such idiocy from the affected districts.
(Score: 4, Insightful) by Anonymous Coward on Saturday July 02 2016, @03:46PM
And yet DRM, no matter how ineffective or trivial, is enough to kick in all sorts of legal protections for corporations...
(Score: 4, Informative) by butthurt on Saturday July 02 2016, @06:55AM
/article.pl?sid=16/06/25/1650257 [soylentnews.org]
(Score: 2, Interesting) by Anonymous Coward on Saturday July 02 2016, @10:14AM
Yeah and this story leaves out important details of what actually was done e.g.
The NIT also instructed Matish’s and other suspects’ computers to send information about the OS running on it, its name, its MAC address, and its active operating system username to the server controlled by the FBI.
And because of that some ignorant people here got the impression it's not like breaking into a house.
However there is one additional bit of information that might be interesting to malware authors:
https://assets.documentcloud.org/documents/2840404/Declaration-of-FBI-Special-Agent-Daniel-Alfin.txt [documentcloud.org]
Special Agent Daniel Alfin, who sought the warrant, declared that the NIT program is not malware.
"The NIT utilized in this investigation was court-authorized and made no changes to the security settings of the the target computers to which it was deployed," he said. "As such, I do not believe it is appropriate to describe its operation as 'malicious.'"
(Score: 2, Funny) by Anonymous Coward on Saturday July 02 2016, @11:05AM
Special Agent Daniel Alfin, who sought the warrant, declared that the NIT program is not malware.
"The NIT utilized in this investigation was court-authorized and made no changes to the security settings of the the target computers to which it was deployed," he said. "As such, I do not believe it is appropriate to describe its operation as 'malicious.'"
So stealing (or copying, depending on your stance regarding "all information wants to be free") banking info, personal info, login info, etc isn't "malicious"? Interesting. I guess that means if someone installs a keylogger and/or data harvesting software on every computer in the FBI it isn't "malicious". I'm sure some defense attorneys are going to use this in the very near future, and will probably call Mr Alfin as a defense witness.
(Score: 0) by Anonymous Coward on Sunday July 03 2016, @11:11AM
(Score: 1) by kurenai.tsubasa on Saturday July 02 2016, @05:59PM
Thanks for the link! This was interesting:
I have personally executed the NIT on a computer under my control and observed that it did not make any changes to the security settings on my computer or otherwise render it more vulnerable to intrusion than it already was. Additionally, it did not “infect” my computer or leave any residual malware on my computer.
It's still murky whether this is some kind of drive-by download or else a browser exploit (or Flash being Flash and insecure). In my mind, how exactly the code got on the computer is an important bit that clicking through the comments section here hasn't revealed yet. It's important to distinguish the computer responding to a request from the internet as it was designed to since we don't want to say that typing in the wrong URL on a website constitutes hacking from delivering a package that either exploits a browser/Flash bug or else executes outside the context of a browser.
I tossed around one scenario in my other comment where Flash might serve up a MAC address or username by design, which I think would fall under “peering through the window.” And yeah, Flash sucks, but I think exploiting even one of its flaws goes beyond peering through windows. After all, just because most home locks are easy to bump key doesn't mean that using a bump key is access by design.
(Score: 2) by The Mighty Buzzard on Saturday July 02 2016, @10:36AM
Heh, poor eds.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @07:01AM
Hack in to see me unwashed, unkempt, naked, and masturbating furiously.
(Score: 2) by chromas on Saturday July 02 2016, @07:56AM
And then you get arrested for public indecency and endangering the eyes of children. You must now register for life.
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @08:02AM
Unsure if good or bad. Do sex offenders get more sex or less sex after registering?
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @02:52PM
Same amount, it just happens to be incredibly offensive.
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @07:21PM
Hack in to see me unwashed, unkempt, naked, and masturbating furiously.
Do you have a blog or a newsletter?
(Score: 2) by MostCynical on Saturday July 02 2016, @08:09AM
if they hack your computer and find a torrent file, what are the chances ALL your computers get comfiscated when they arrive in person, even your "air gapped" devices?
Does anyone here have any "air gapped" machines?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by Scruffy Beard 2 on Saturday July 02 2016, @08:13AM
Air gapped machines are useful for storing Bitcoin or running centrifuges,
(Score: 2) by MostCynical on Saturday July 02 2016, @08:30AM
Cue TLA: "see, we *knew* he was up to no good!"
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @10:45AM
Maybe with enough digging and "interpretation of the law" they might be able to find stuff to "hang" us with.
FWIW in my fucked-up country "normal" porn is illegal, so probably even instagram /imgur photos in caches would be enough to send me down.
In your country maybe baby/child photos would be enough (if you're unlucky even fully clothed ones might be considered child porn).
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @11:13AM
if they hack your computer and find a torrent file
I don't think you're as cynical (or realistic, but I repeat myself) as your name suggests.
Try this: "when they hack your computer and plant some child porn"
(Score: 3, Interesting) by MostCynical on Saturday July 02 2016, @11:22AM
all they need to do is convince the judge *something* is "encrypted".
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @06:52PM
Damn, that's cynical. *looks at username* Very well, carry on.
(Score: 2) by HiThere on Saturday July 02 2016, @07:11PM
Yes, two. One's an MSWind95 machine and the other's a Mac OS10.4. Both are kept because I have some data in proprietary formats that I can't convert into portable formats. Both are increasingly rarely used.
It's too bad, because Deneba Canvas was the best graphics program for my purposes that I've ever encountered...except for the proprietary file format.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 3, Insightful) by Bot on Saturday July 02 2016, @08:16AM
We should never forget that everything Adolf Hitler did in Germany was "legal" and everything the Hungarian freedom fighters did in Hungary was "illegal." -- M.L.K.
Of course it was to fight child abuse so it's fine.... er, does the court ruling specifically restrict this to abuse or terrorism?
In defense of the ruling, however, it states the obvious if you consider most people still run proprietary software, that your internet hub is rarely kept secure, and that the motherboard is full of DRM/remote control stuff. In other words, the FBI is allowed to do what all the software corporations, hardware makers, and assorted hackers do anyway.
Also look at the bright side, nobody is likely to hate USians for their freedom anymore.
Account abandoned.
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @08:26AM
Godwin'd by Martin Luther King? Right on, brother.
(Score: 4, Insightful) by Anonymous Coward on Saturday July 02 2016, @11:27AM
Also look at the bright side, nobody is likely to hate USians for their freedom anymore.
Eh, we never did. We hate you (well, not you, your government) for your economic bullying, bombings, indiscriminate killings of civilians, constant wars you rarely bother to declare, and overall ignoring of human rights and international laws.
It's just that you started getting some of it splashed onto you, and it's a different beast when a government pulls that shit on their own people. After all, they never swore to serve and protect us, but doing that stuff to you is a really low blow. For that, you have my sympathy. (And to be clear, I'm not being sarcastic!)
(Score: 3, Insightful) by mendax on Saturday July 02 2016, @08:17AM
This reasoning is absolutely insane, and fortunately it will almost certainly be overturned on appeal. If this ruling is allowed to stand then the entire Fourth Amendment protection against unreasonable search and seizure is doomed. Certainly, my house can be broken into by any person wishing to break a window. Does this mean that I therefore forfeit any privacy from police searches because I don't have steel shutters on my windows and doors and keep them closed 24/7?
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @09:47AM
Yes. According to this ruling.
However, not even steel shutters or a steel door will change this as your house is still open because a crowbar or a sledgehammer can "open" the doors and windows.
Next up: You choose glass for your windows instead of highly resistant plastic. This is the same as inviting police in as glass is so easily broken.
Perhaps it is time to make Active Defence systems legal.
Does it really get any worse than when anyone can go through your private documents any time they want?
(Score: 2) by The Mighty Buzzard on Saturday July 02 2016, @10:41AM
Well, what this really says is the police can try to break into your computer. Much like they can try to break down your door. There's nothing stopping you from having a foot thick oak door with hinges as big as your wrist though.
My rights don't end where your fear begins.
(Score: 1, Informative) by Anonymous Coward on Saturday July 02 2016, @11:39AM
There's nothing stopping you from having a foot thick oak door with hinges as big as your wrist though.
You forget how much excess military equipment has been given to the police to "counter threats of terrorism". Since there is no actual threat of terrorism, they keep using their new toys whenever they get even a smallest excuse. A foot thick oak door is a great excuse (as you are obviously hiding something) to get out an MRAP [wikipedia.org] and a few bazookas.
If the police can't kick your door down, they'll just flatten your entire house. Well, sometimes they'll flatten it [imgur.com] just because they're scared of a shoplifter [techdirt.com]...
Ain't police state fun (for the police)?
(Score: 0) by Anonymous Coward on Sunday July 03 2016, @11:22AM
Well at least there was someone in there for the "brave boys in blue" to be scared of unlike this case:
http://www.policestateusa.com/2014/melinda-de-la-torre-raid/ [policestateusa.com]
A SWAT team spent hours firing “mortars, grenades, and teargas canisters” at an empty home. The 4-hour siege destroyed windows, doors, and walls and left the home in ruin. The suspect didn’t even live at the address, and the innocent homeowner was left homeless for months and ultimately was stuck with over $100,000 in repair bills, which the responsible parties have refused to pay.
I'll say it again, the big problem in the US is too many of your cops are cowards. I'm a coward too, but at least I don't go around pretending to be a cop. If you're that scared to put your life at risk you should not be a cop, you'd be a danger to yourself and everyone else. And you'll just make things worse.
Same for soldiers.
(Score: 1, Informative) by Anonymous Coward on Saturday July 02 2016, @04:03PM
... unless your oak door is on a house in certain States, such as Oklahoma and apparently Illinois.
http://www.disclosurenewsonline.com/2010/08/30/heres-a-slippery-slope-if-ever-there-was-one/ [disclosurenewsonline.com]
I'm not supporting the criminal police state by pointing this out, rather showing that if you try to actually secure your home that some cops will try to throw you in a cage for that nowadays, along with everything else. this is all very similar to "speeding", in which case cops have been told by "judges" that they can use the threat of lethal force to arrest (pull over, detain, stop) and search people and their possessions for going even 1mph over the speed limit, 5mph under the speed limit (e.g. likely EXACTLY the speed limit as the in-car speedometer was likely to have read), and if not now then soon for going exactly and precisely the speed limit as it is "all suspicious".
At the core of all this is: if I can't kidnap a person and throw them in a cage for merely driving at any arbitrary speed of my choosing, neither can I delegate that authority to anyone else. Government is just another word for a criminal gang.
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @07:11PM
Just to be sure, use one of these [wikipedia.org]!
(Score: 2) by Common Joe on Monday July 04 2016, @04:10AM
I read this to mean that the judge doesn't expect any privacy on his personal computer and he thinks it's ok that hackers going after it is ok.
To be clear: I do not encourage anyone to do this. I'm merely repeating what the judge said in a more specific way.
(Score: 2) by mendax on Monday July 04 2016, @05:22AM
That's how I read it. Let would be nice for the local cops to hack away at his computer and find his collection of nasty shit.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @12:38PM
Just because crime exists, it does not negate your rights.
"Its easy to kill you, so i guess you are on your own"
(Score: 2) by Dunbal on Saturday July 02 2016, @01:18PM
Coming up next: Houses connected to a public street have no expectation of privacy, because front doors can easily be broken into with a crowbar, and windows can be easily smashed or just plain peeped into.
(Score: 1, Insightful) by Anonymous Coward on Saturday July 02 2016, @01:50PM
Vote with your shotgun.
(Score: 1) by fubari on Saturday July 02 2016, @06:46PM
This seems fundamentally wrong.
Apparently I shouldn't expect my phone calls to be private because... phone company had to know.
Nor expect text, email, etc. because... service provider had to know.
Nor expect my credit card use to be private because.... credit card company had to know.
Nor should my internet-using computer be expected to be private because... hackers (or law enforcement) might break in?
This last one doesn't have 3 parties, just one: me, and another party (hackers) removing my expectation of privacy.
We're going to have to change some laws in the US because the courts aren't doing it right.
So, a serious question here: why does attorney/client privilege still exist?
If mean if you tell anybody else something, or somebody could find out something, how can you have a "reasonable" expectation privacy?
(Score: 3, Insightful) by shortscreen on Saturday July 02 2016, @07:37PM
Anything that can be accessed via the internet is considered public, the CFAA must be null and void. Peeking at politicians' emails and corporate trade secrets are totally legit now.
(Score: 0) by Anonymous Coward on Saturday July 02 2016, @08:20PM
Police sends drone in box with some other kind of gift, something tiny but enough to block a door like a roboinsect, and it blocks the door when the resident goes away. As resident accepted the package and the door is open, the police needs no warrant... correct, stupid judge? After all, the door is connected to the street.