
Company Caught in Texas Data Center Raid Loses Suit Against FBI - peter123
http://blog.wired.com/27bstroke6/2009/04/company-caught.html
======
gojomo
If the data has legitimate evidentiary value, the FBI should be taking images
of the drives then returning the full servers to service... and not the other
way around, where innocent companies only get disk images back.

What's more, with the right equipment and staff, this could have been done
onsite at the colo facility, in the first 24-48 hours, turning machines back
on as soon as the FBI had a forensic copy of their persistent storage.

~~~
SystemOut
I'll go ahead and play devil's advocate here for a moment and look at it from
the FBI's point of view. I can imagine that they would rather keep the
original equipment and make copies for the involved parties. What if they
missed something during the copy or the machines were modified in some strange
way? They don't really want to blow their case.

I agree that they should do it onsite, however, and not make them wait days or
weeks to get it back. It's a lame excuse to seize that many machines just in
case without the ability to assist the businesses to keep operating,
especially in the current economic environment we're in.

~~~
gojomo
Yes, I'm sure that's their reasoning. But we'd never accept it if, for
example, they shut down an entire office building or mall because of a crime
in just one tenant's space, or even a crime by the landlord... on the off
chance a tiny bit of evidence might be in one of the corners of the building.

They get away with it here because the data center is out of view and the
losses are abstract. But the costs they're imposing on third parties, just to
save themselves a little trouble and risk of misidentifying evidence, are
unreasonable.

~~~
stcredzero
Residences are protected against overly broad search and seizure through the
procedure of getting a warrant. A warrant is for a specific address. The
police can't go and cordon off the whole block just because they want to make
sure they get one house.

There needs to be some sort of analogous procedure for datacenters.

------
dkokelley
This is a good example of the FBI's answer to the question "Is it better that
guilty man go free than 1,000 innocent men be punished?" The FBI is doing
their job to get the 1 or few guilty parties (allegedly - they're innocent
until proven otherwise), but in the process hurting many others.

If anything I think that the FBI should have at least provided more aid to the
innocent parties. Honestly, making them supply their own drives to recover
their data? That's pretty low in my book.

------
patrickg-zill
If the FBI allowed them to have access to their data by copying the hard
drives over, why not let them have the rest of the system back? After all, the
original hard drive is the only part of the system that retains data/evidence.

~~~
ankhmoop
Our servers actually have a full embedded ARM Linux installation to support
IPMI[1]. It has a separate processor, power management, flash storage, et al,
and operates independently of the installed OS. The onboard IPMI module runs
as long as the machine is connected to a power source.

The card can be re-flashed from the running OS, and actually runs a number of
open source network daemons with known vulnerabilities.

It can interact with the BIOS, provide network access to the console, access
the network via the host's ethernet chipset, supply the OS with pseudo-disk
devices (CD-ROM, floppy) ...

[1]
[http://en.wikipedia.org/wiki/Intelligent_Platform_Management...](http://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface)

~~~
patrickg-zill
Yes, a lot of servers have this. My point was more along the idea that as long
as the FBI has the drives, they don't need anything else - so they should
return everything except the original drives.

~~~
klump5
Wouldn't the FBI need to secure any onboard storage, including an embedded
computer running Linux? Can they (currently) guarantee that they've found all
locations on which evidence could be stored?

~~~
patrickg-zill
IPMI servers and related devices like Sun's LOM and HP's iLO have little to no
storage space, perhaps a few MB of flash.

You can set up a limited number of users, like 16, and cannot store or access
random data (i.e. you cannot use it like a 1GB USB drive). Of course, you
could image that data, as there are tools under Linux etc. that let you read
the IPMI / LOM / iLO information.

~~~
ankhmoop
The management modules are often considerably more powerful than what is
necessarily exposed via IPMI -- A number of SuperMicro's IPMI modules have
more than a few megabytes of flash, and do run an embedded version of Linux.

The module's capabilities are not all that different from OpenWRT; they run
Linux, have a network connection, provide a web UI including a 'VNC' server
for the VGA console, run (IIRC) net-snmp ...

If I wanted to obscure my intentions, I definitely would leverage such non-
obvious embedded systems.

------
Herring
Someone in that company needs to read the tao of backup. Section 3 -
separation

<http://www.taobackup.com/>

------
vaksel
more reason to have at least a daily backup of your site on S3. Unless you are
hosting trillions of TBs, its affordable enough as an offsite backup solution

~~~
gojomo
What if they seize S3?

~~~
dkokelley
I think Amazon will have a better shot at either avoiding that or preventing
outages from that.

~~~
gojomo
Too bad you have to be a multi-billion-dollar corporation to be free from
heavy-handed enforcement actions.

~~~
dmaclay
Actually a canny data-center operator might be able to offer a limited free
service to something like a hospital, allowing them to argue that a wholesale
shutdown might threaten lives. Done just right, the hospital gets a free
service and the data-center gets protection.

~~~
mooism2
Although the FBI have shown themselves to be quite capable of shutting down
911 service, which might threaten lives.

