Suppose you were using a shared storage space (shared servers, or server farm) with several other dudes. One of them is a drug dealer. One day the police/FBI decide to raid the storage space since the drug dealer has been using it to store illegal drugs.
Is it not reasonable to consider this collateral damage (which, granted, is totally unnecessary) during law enforcement operations?
I'm not saying this is OK in any case, but might this not be a reasonable move by the law enforcement agencies?
If his servers are included in the warrant because they were suspected of housing whatever it is the FBI was after, and the court granted the FBI the right to seize them, then yeah, it's reasonable.
If he was sharing a physical machine with the bad guys, then yeah, sorry, that's collateral damage. However, if he was on his own separate leased machine, there is absolutely no reason for the FBI to seize it. It'd be like them executing a seizure warrant on one of those self-storage spaces, and seizing the contents of all the adjoining compartments (which the person being investigated would have had no access to) just because.
If the police have a warrant for my apartment, and you happen to leave your backpack and server, your stuff will most likely be confiscated, along with mine, if it interests the police.
They probably didn't have anyway to know which machine it was just which rack it was. They also probably didn't have to tell the hosting company directly just the facility that they were raiding.
The problem is that with blade servers like DigitalOne provided, both of these things can be true at the same time.
I don't like to be in the position of defending the FBI (my own personal and professional relationship with them is complicated), but I think the following situation is plausible (which isn't to say it's what happened, as we don't know):
FBI determines the originating IP address of whatever their investigation is targetting (based on published information, it looks like a "scareware" operation").
FBI determines the IP address is "owned" by an overseas hosting provider, and that the physical servers are in a datacenter in the U.S.
FBI obtains a warrant for the seizure of all associated computing equipment (which may very well include the upstream devices used by the hosting provider).
FBI executes warrant at datacenter, sees that the servers are actually blades in a chasis; takes entire chasis (as reconstructing the data later on may require that the servers be bootable.)
The very last forensic case I worked involved having to acquire evidence from a server which was hosting a web application by a hosting provider. This was a shared hosting scenario, so in addition to acquiring the targeted information, all other customers on the server were also effectively offline (as the server was being imaged, and later as the original hard drives were entered as evidence).
Now, obviously, that isn't the exact same situation as what is described here, but in the event that the servers were blades, I don't think it's outside the realm of possibility to think that the entire chasis would need to be retrieved.
If the FBI seized all the computer equipment in the entire building or even just the computers on the same floor as the targeted company but belonging to other companies who just happen to be physically adjacent to the targeted company, would it seem reasonable?
For starters, that hypothetical search warrant is too broad to be executed.
Keep in mind, I'm not saying that I believe that the FBI executed this seizure correctly. I'm saying that based on third-hand limited information, I don't think it's possible to rule out the possibility that what they did was warranted.
If you showed up to perform this acquisition and were able to deduce that the targets you were going after were blades in an HP chasis in a specific rack, and let's say those blades aren't identifiable within the chasis (like oh say, maybe the IP address isn't noted), it might be within reason to take the chasis and all the blades for that specific chasis.
It might also be within reason that if you can identify which specific blades are part of your acquisition, you take those, and also the chasis they are plugged into (but not the other blades, although they are now sitting on a table in a datacenter somewhere, not plugged into anything).
All we know is that customers of that same provider who were stored in the same datacenter were taken offline. Marco doesn't actually know that his blade server was physically taken, he just knows that it was brought offline.
Physical proximity is simply not a valid justification in either situation.
If the courts and/or the FBI are unable to understand this, the remedy is to get them educated and not to simply accept the consequences of overly-broad warrants or seizures.
I'm not saying it wasn't, I'm saying that it is not a requirement that it was.
I disagree that siezing adjacent blades is just as nonsensical as seizing adjacent computers. I think it's unfortunate, and suboptimal; but I don't think they are the same.
If the search warrant had nothing to do with computers, let's say it was for a silver Motorola Razr. The FBI enters the premises and finds a bucket with ten silver Motorola Razr's. Their job is then to try and determine which specific Razr they are looking for. You can be sure that it's within the realm of possibility that they'd sieze all of them, and then later determine which ones are unrelated.
You can argue, "but then the search warrant should have to be more specific, it should have to have the serial number of the specific Razrs on it", to which I'd agree, that'd be nice. Computer-related search warrants are almost always executed with only the originating IP address and the location to which the IP address was established to be at.
Assuming that they took all the blades (which again, we have no idea one way or the other), I agree it would have been nice to know ahead of time that the specific blades associated with the target were X. I'm not sure that the lack of that specificity of information makes it impossible for them to execute the search warrant.
But basically we're lambasting the FBI for something we have no idea if they've even done, without any actual information about the contents of the raid. I'm trying to keep in mind that it's actually possible (even if not likely) that their actions in this raid were not incorrect.
The picture painted here is that the FBI came in and hastily took a bunch of equipment without making sure they were taking the right stuff. If that is accurate, then it's likely they might have missed a server with data on it that they needed for their case. Moving quickly and causing collateral damage in a relatively safe environment where you actually have the time to triple check your work is inexcusable on all fronts.
if you're looking for a metaphor, think about a self-storage facility ([one of these places](http://www.moversandpackers.org/wp-content/uploads/2010/10/s...). imagine you're renting one of those units, and somebody renting a unit on the other side of the yard is a drug dealer. the FBI comes in, and in the process of seizing the assets of the drug dealer across the yard, they also seize all the stuff in your storage unit. There is no way that is reasonable.
I didn’t own the hardware — I was leasing it from DigitalOne.
I agree that the information belonged to Instapaper.
Why did they take an entire rack, instead of a few servers? I can think of a couple of potential reasons.
- VM's, which could potentially live on any physical server in a VM pool
- Insufficient information on which physical servers belong to their suspects
- They just don't trust the colo operators to not be involved, and thus limit the suspect data to the servers they provide.
While I wholly agree that it's unfortunate that Instapaper and Pinboard were affected, it's not an unexpected consequence of having your servers alongside (or on the same physical machines) of people you don't know.
If you want to say "tough luck that's just what it costs to collect evidence in 2011", fine, but it's probably not fair to say that the FBI should just naturally have that capability.
It wasn't until 2007 that they updated the Handbook of Forensic Services to no longer require seizing peripherals of suspected evidence. Think about that for a second, that means mice, keyboards, monitors, etc.
The team who worked on this raid ironically is part of the DOD CCC, which is a joint forensic lab setup between the DOD and the FBI (they have two labs, one in Maryland, who would have been involved in this raid, and one in California). That team certainly has some smart folks on it (they're the subject-matter-experts for forensic acquisition at the FBI), but if they've devised special procedures for dealing with datacenter or cloud forensics, they haven't been codified yet into the HFS.
One of these collaborations is responsible for you being able to type that comment and have it be readable by someone on another computer.
As to the specifics of the DOD CyberCrime center, it was set up in 98 to offer training/services to other law enforcement and counterintelligence agencies.
Basically, someone figured that instead of having to have each seperate agency stumble around in the dark dealing with cyber crime, they could pool resources and try to standardize. It's actually a pretty good example of getting rid of beaurocracy.
But, steel yourself: a very good forensics pro would probably have them acquiring expansive warrants for hardware seizures, because very good forensics pros are paid to foresee all the crazy things colluding providers and criminals can do to hide evidence.