
I opened a link some random person sent me and I got raided (2015) - geek_at
https://blog.haschek.at/2015-that-not-so-awesome-time-the-police
======
A_No_Name_Mouse
Something similar but less intrusive happened to me. 10 years ago I was in the
early stages of building a price comparison website, still hosted at home. It
scraped product prices of several hundreds of online stores. One day I got a
letter from the police asking me to come to the police station. I called them
asking what this was about, but they said they couldn't tell me on the phone.
I said fine, but I won't bother to make the trip if this is not something
serious. They then told me I was suspected of fraud.

So I made an appointment and talked to the investigator. He told me someone
placed an order at a web shop, then hacked the iDeal transaction, the
electronic payment system in the Netherlands. My home IP address showed up in
the logging. I asked him what the IP address was and I confirmed it was indeed
my IP address. For the investigator, this was a sure sign I was the hacker,
because who on earth knows his IP address by heart unless you're a hacker?
Yeah, I know, not a very smart move.

I told him why my IP address had shown up: the scraper had visited the store
to update prices. And I told him if I was able to hack iDeal transactions I
wouldn't have bothered to make a transaction for a few hundred Euro's. In the
end it turned out someone had just placed an order, had it delivered, but
didn't pay the invoice afterwards.

After a couple of months I received a letter stating I was no longer a
suspect, and that seemed the end of end. But not quite: whenever I buy some
form of insurance, one of the questions is if I have ever been suspected of
fraud. Answer yes and there's a good chance the insurer will refuse. Answer
no, and I'm actually committing fraud and the insurance may not be valid. It's
also inconvenient as the same question comes up during screening (I'm a
security officer now).

Lesson learned: my home router now routes all traffic through Mullvad. Just in
case.

~~~
cc-d
I'm not familiar with the legal dynamics of the netherlands, but this is a
good example of why you should never talk to police without a lawyer present
in the United States.

~~~
A_No_Name_Mouse
Good general advice, but I'm not sure if that would have made a difference in
my case. I was a suspect already. Giving a statement didn't have any negative
consequences for me. Maybe it prevented a raid like in the OP's case.

~~~
blackearl
> whenever I buy some form of insurance, one of the questions is if I have
> ever been suspected of fraud. Answer yes and there's a good chance the
> insurer will refuse. Answer no, and I'm actually committing fraud and the
> insurance may not be valid. It's also inconvenient as the same question
> comes up during screening (I'm a security officer now).

This seems like a negative consequence

------
jrochkind1
> I told them about the script kiddie, the link and that I wasn't using a VPN
> because I did nothing wrong but of course they were sceptical even thought
> one of the agents said my story sounded plausible to him.

A) This is a weird thing to tell the cops. "I wasn't using a VPN cause I
wasn't doing anything illegal, I only use VPNs when I do illegal things!"
Uh... you don't want to tell the cops you do illegal things and have opsec
procedures for when you do illegal things! No wonder they were skeptical!

B) This story is literally the explanation of why "If I'm not breaking any
laws, why would I worry about my privacy from the police?" is the wrong
attitude. You don't have to have known you did something wrong/illegal, you
don't even _actually_ have to had done something wrong/illegal -- for the
police to really inconvenience you. It could have been a _lot_ worse than
this. Even people who never knowingly/intentionally break laws have an
interest in keeping their activities from police notice. As this story
demonstrates. "If you have done nothing worng you have nothing to hide, why do
you mind police surveillance" \-- nope nope nope.

~~~
buboard
surveillance state is the price we pay for a civilized society. abolishing
that would mean , like 1% more crime. nobody wants to live in a world like
that

~~~
earlINmeyerkeg
A surveillance state wouldn't be such a burden if the rights we had actually
could be enforced on the spot the moment they were infringed by a police
force.

The fact that you can be imprisoned (borderline indefinitely it seems at
times) as well has basically need a lawyer even though your issue is straight
up black and white really shows the failures of a police state. Whats the
point in having rights in a surveillance state? The government will just make
stuff up against you anyway.

~~~
ericns
Where you say "really shows the failures of a police state." It's a great
success, the greatest actually. The people who fail to enforce anything
against the police are the same people who need them to act as the tip of
their spear. The purpose isn't everyone compliance - just the compliance of
those with the potential to change things. Think FBI and MLK, or Aaron Swartz.
It's like spear fishing vs mass spam, tracking the individual agents of change
and their social network vs fire hoses and dogs at protests.

~~~
earlINmeyerkeg
I guess I was coming from the philosophy of why it's bad on a liberalism
mindset. I totally get why it's good for a governing body to assume control.

------
TallGuyShort
So keeping all of his computers for a year sounds like a major pain in the ass
since he's innocent (I'm not that surprised they did it, it's understandable
if you're the head detective, perhaps, but being in tech myself I'm more
understanding of "I just clicked a link" and wouldn't consider that much of
evidence). I'd lose sleep too just at the thought of the pending investigation
and the headache that inherently is even if you're innocent of what they
suspected you of. But honestly it's refreshing to read a story about a police
raid where the police knocked, the warrant was in order, they were polite and
sat down to talk, they explained what was going to happen next, and an agent
even acknowledged in front of him that his story was reasonable. I've had a
few police departments around me that routinely do none of those things.

~~~
jacurtis
The same thing would happen in the USA too. If you were suspected of hacking
into the Democrat or Republican party websites, the FBI would come and
confiscate your computers and hold onto them until after your trial had
finished. This would easily take a year or longer.

~~~
calcifer
Would it happen the same way though, with a polite knock on the door, a calm
chat and orderly evidence collection? In the US they'd probably break the
door, pin the guy down on the floor while armed men ransack the house. Call me
cynical...

~~~
earlINmeyerkeg
And also throw you in jail and keep you there indefinitely regardless of
evidence of you committing a crime.

~~~
jacobwilliamroy
It's true, the jails are so clogged that pre-trial offenders can be held for
months and sometimes years without a conviction in the U.S. Not to mention the
indeterminate number of people who just disappear out of the computer system
and end up being held for months beyond their release date.

~~~
pmoriarty
What's worse, you could be thrown in jail if you're a witness, even if you're
not even suspected of a crime. Some witnesses have been in jail for years.

[http://www.bbc.com/news/world-us-
canada-39662428](http://www.bbc.com/news/world-us-canada-39662428)

------
remmargorp64
The lesson here is not to avoid clicking random links, because that is an
unrealistic expectation.

So what is the lesson?

Realize that you can get raided at any time, without any warning, due to
random life circumstances. Live life accordingly.

~~~
sevenf0ur
I was raided (secret service) thanks to a boneheaded roommate. Woke up to guns
drawn and shouting. My advice:

* Don't talk to the police

* Maintain off site backups because they will take everything, even the whole machine in my case

* Encrypt everything, this event really reinforced that for me

~~~
andai
I've been hearing stories of people being detained for refusing to decrypt
their drives.

And the author writes:

> I was also asked for my password and if I had any encrypted data on my PC

~~~
sevenf0ur
You should first consult with an attorney before making any statement to the
police, much less handling over incriminating evidence. I'd rather keep the
option open to fight over it in court than just giving up the key and hoping
that the police will view it in my favor. Also, encryption is a must in case
of theft.

~~~
withinboredom
In some countries, lying or withholding information is a crime itself. The USA
is fairly unique with the "right to remain silent."

~~~
giancarlostoro
Sometimes saying anything at all might incriminate you because you're the only
suspect. Don't talk to cops without a lawyer basically is the way to go in the
USA.

~~~
mikekchar
In Japan, you are currently allowed a lawyer to be present when being
questioned, but it wasn't that long ago that you weren't. However, there was a
bit of a hack: you _were_ guaranteed to have a _translator_. It didn't matter
how good your Japanese language skills were, you could demand a translator
(assuming you spoke another language!) and they had to be present during all
interrogation. While not as good as a lawyer, at least you had a witness if
something untoward happened during the interrogation (which was apparently
quite common in those times). I have heard that since the latest reforms in
the last 10 years (lawyers present during questioning and allowance of a trial
by jury) the incidence of untoward occurrences has decreased. While police
here are an extremely friendly feature in society (very different than any
other country I've lived in), you definitely don't want to get on the wrong
side of the law one way or the other.

------
Jerry2
What's even scarier is when your browser "clicks" on the link by itself [1]
and you don't even realize that you've just sent a request to some 'random'
server and that server now has the log of your IP. If you browse
'questionable' sites, definition of which is growing by the day, you should be
careful in which log your IP might end up in.

I now disable page prefetch on every browser I use. Some browsers don't even
use it (which is a sensible thing in 2020 given the risk vs rewards of having
it turned on).

[1]
[https://en.wikipedia.org/wiki/Link_prefetching](https://en.wikipedia.org/wiki/Link_prefetching)

~~~
SamBam
It took me a while to find the setting -- search Chrome preferences found
nothing for "prefetch," and a how-to article I found claimed the setting was
called "Use a prediction service to load pages more quickly," which also
returned nothing, but I finally found it under Advanced -> Privacy -> Preload
pages.

I was quite pleased, however, to find that this had already been turned off
for me, and enforced, by uBlock Origin:
[https://imgur.com/a/9seIFEU](https://imgur.com/a/9seIFEU)

~~~
rickety-gherkin
you can find the option in FF in about:config by searching "prefetch", but
mine was also disabled already because of uBlock origin.

------
weinzierl
> After getting my drives back I checked one of my USB drives and it had a
> .docx file on it that didn't come from me. In this Word file there was a
> photo of some guy (unpixeled). I have no idea who that is (maybe the script
> kiddie?) but the federal agency must have put it in there by accident.

Plot twist:

I opened a word document some random agency put on my USB drive and I got a
federal trojan.

------
wyldfire
> After getting my drives back I checked one of my USB drives and it had a
> .docx file on it that didn't come from me.

Booooo. Die BVT dropped the ball on preserving the chain of custody for this
evidence. They should have used equipment that bars device writes.

~~~
biot
Or leaving the .docx file was intentional and by opening it, the guy triggered
a hidden payload which installs malware which the police use to monitor him.

~~~
Timpy
If they had his hardware for a year I don't think they would need him to
trigger a hidden payload.

~~~
voxic11
Its to allow them to continue monitoring his activities going forward, without
the need for annoying warrants and physical searches.

~~~
marblar
I think the point is that they could have just installed the malware since
they had physical possession for an entire year.

~~~
tjoff
And the counterpoint is that he'd obviously got a new computer and any further
surveillance would benefit from access to that one.

~~~
Timpy
That's a good point. I was assuming the old hard drive was loaded on old
equipment but that's not necessarily the case.

------
_jal
It isn't entirely clear to me that Script Kiddie was actually setting Security
Researcher up rather than bragging, but let's assume.

The interesting aspect is the weaponization of legit LE - this is similar to
swatting. This can easily be extended to harassment by all sorts of random
government agencies depending on context. It isn't even really new - you can
think of false OSHA reports and the like as similar.

I think the new aspect is about the expanded reach of social connections,
combined with people's willingness to be much more vicious when the
interaction is virtual.

~~~
rickety-gherkin
My first thought was that this was a setup by the Script Kiddie (maybe they
did know what they were doing). If you knew that your actions were going to
come to light then you might as well messy up the trail for investigators. I
wouldn't be surprised to find out this was a planned maneuver

------
azinman2
Clicking random links is exactly what HN is all about ;)

~~~
bryanrasmussen
That's why I never read the articles, I'm security conscious!

~~~
martin-adams
What article?

------
clSTophEjUdRanu
Why does a security researcher not use a VPN while on IRC? The security
community is crawling with bad actors.

------
jchw
>Don’t click random links!

Alternatively, consider always using at least some kind of VPN.

In the modern climate of VPN ads all over tech videos I doubt it is terribly
unusual if you have one, yet it immediately makes this kind of bullshit
considerably less likely.

I feel Wireguard (for those not in the know: a VPN protocol and software suite
like OpenVPN) provides the kind of performance and latency that is completely
acceptable for almost all traffic other than video games, and if you are a
Linux user you can even play with things like network namespaces to force some
apps through Wireguard (and maybe some through bare metal.)

I am not affiliated with any VPN but I am a happy customer of Mullvad for
years, and I don’t recall any time they’ve ended up in the news for bad
reasons. I’ve also heard ExpressVPN and PIA are good options.

~~~
jiofih
Will that help at all? The VPN itself will keep track of all your activity,
just a warrant away, that’s how they make real money.

~~~
jchw
>The VPN itself will keep track of all your activity

\- The trouble here is that the ISP is in the same country as your police.
Having a VPN that is in a different jurisdiction requires international
warrants. (IANAL.)

\- Mullvad claims they do not log, as many VPN providers. I have a tin foil
hat usually but I think their track record warrants an unusual amount of
trust.

\- You can also do multi hop through Wireguard, if you’re into that kind of
thing.

>just a warrant away, that’s how they make real money.

Now that is unbelievable. You are suggesting to me that the police are paying
VPNs for logs? Why would they pay if they have a warrant?

I don’t think the data that ISPs or VPNs have is actually worth that much. For
VPNs most of it is probably genuinely torrent traffic and HTTPS traffic. Even
DNS can be encrypted nowadays (and should be imo.)

It’s one thing to say they are selling logs, but it’s hard to believe that’s
where they make the real money from. And either way, it’s a completely
unsourced claim.

~~~
allovernow
>Now that is unbelievable. You are suggesting to me that the police are paying
VPNs for logs? Why would they pay if they have a warrant?

I'm not leaning in either direction here but worth noting that warrants are
hard to get without evidence. Illegally obtained information can be used for
ostensibly legal targeting, pre-warrant. It's a dangerous, clandestine abuse
of power called parallel construction [1].

1\.
[https://en.m.wikipedia.org/wiki/Parallel_construction](https://en.m.wikipedia.org/wiki/Parallel_construction)

~~~
jchw
I know parallel construction exists. But I highly doubt VPN services make
their 'real' money selling logs.

------
welly2103
> I was also asked for my password and if I had any encrypted data on my PC
> (which I didn't have at the time).

Today you probably encrypted everything, right? Would they force you to tell
your password, or what was the intention of just asking for it?

~~~
monkeynotes
[https://en.wikipedia.org/wiki/Key_disclosure_law#Germany](https://en.wikipedia.org/wiki/Key_disclosure_law#Germany)

Laws in the UK are pretty Orwellian to say the least:
[https://en.wikipedia.org/wiki/Key_disclosure_law#United_King...](https://en.wikipedia.org/wiki/Key_disclosure_law#United_Kingdom)

~~~
shadowprofile77
One of the comments above mentioned that police in the UK (and western Europe)
tend to be more polite than the often aggressive police in the U.S. This is
believable, so too is the notion that police and the justice apparatus in the
US are also more punitive than their western European counterparts. With these
things in mind, it's rather ironic that the U.S turns out to be the much
better place for protecting ones digital privacy by refusing to disclose
passwords. Since it's not even legally allowed in the US due to the Fifth
Amendment... (border crossings still being extremely ambiguous places on
this).

------
thomas232233
The author of the post says

"I was on a site around the time it was hacked and I had no proxy or VPN."

How would a VPN would have saved in this situation. A free public proxy might
hide the original ip address to some extent. The VPN would still be linked to
his real identity straight away. Right?

------
sh1mmer
It seems odd to me that the lesson here wasn’t reporting to the police when
some rando you met on IRC has apparently hacked into a political party.
Especially given all the state-sponsored meddling in politics recently.

They might have done the same thing and taken all your computers but you
probably would be in the clear a lot sooner.

------
bgeeek
Is it safe to open the article, though? 8)

------
6510
Google search by image reveals its a doberman.

[https://www.pictshare.net/500/f8df258bbb.jpg](https://www.pictshare.net/500/f8df258bbb.jpg)

~~~
martin-adams
Okay, so who is brave enough to click that link?

------
pbreit
I'm wondering if this happened to me if I would report it and the result might
be quite different?

------
LinuxBender
This might be a good use case for a RasPi for web browsing. If it gets taken,
you have not lost much money. You could PXE boot and have the OS run from ram,
so you don't even need a hard drive. It really should not use much power. The
PXE boot device could just be a generic cheap consumer NAS. If you need to
save a file, just https post or sftp it to the cloud somewhere.

~~~
geek_at
have you ever surfed the web on a Pi? even a 4.. it's not fun :D

~~~
LinuxBender
I have, but I also tend to not visit sites that have a lot of bloat. El Reg
and Scientific American are about the most bloated site I visit and I only
pull them up once a day.

------
_sbrk
( .. opening link with Startpage's anonymous feature .. )

------
seemslegit
For US readers it must be quite incredible to read all this took place
amicably and - you weren't SWATed with guns drawn and would even talk to the
law enforcement people by yourself (as opposed to only through a lawyer) -
which was probably unwise even in Austria - they could have not have people
experienced enough or just wouldn't want to admit a mistake

~~~
cptwunderlich
FYI, this was in Austria, the BVT is an Austrian agency, this website is on an
.AT domain and he writes in his about page that he is a Texan living in
Austria =)

~~~
geek_at
Born Texan, that's right but haven't been there since a was a few years old.
Still feel strangely connected though

------
cellular
Hey random person, I'm not falling for it!

