Hacker News new | comments | ask | show | jobs | submit login

I'm trying to think of an analogy which can explain why this might be reasonable from the FBIs perspective.

Suppose you were using a shared storage space (shared servers, or server farm) with several other dudes. One of them is a drug dealer. One day the police/FBI decide to raid the storage space since the drug dealer has been using it to store illegal drugs.

Is it not reasonable to consider this collateral damage (which, granted, is totally unnecessary) during law enforcement operations?

I'm not saying this is OK in any case, but might this not be a reasonable move by the law enforcement agencies?

It is not reasonable if the FBI does not have a warrant for your servers(/storage space). Instapaper is completely right to call this "theft".

If his servers are included in the warrant because they were suspected of housing whatever it is the FBI was after, and the court granted the FBI the right to seize them, then yeah, it's reasonable.

If he was sharing a physical machine with the bad guys, then yeah, sorry, that's collateral damage. However, if he was on his own separate leased machine, there is absolutely no reason for the FBI to seize it. It'd be like them executing a seizure warrant on one of those self-storage spaces, and seizing the contents of all the adjoining compartments (which the person being investigated would have had no access to) just because.

Do we know what the warrant stated? If it authorized them to take the rack containing the server they were after, then this is legal, if unfortunate.

If the police have a warrant for my apartment, and you happen to leave your backpack and server, your stuff will most likely be confiscated, along with mine, if it interests the police.

No, this does not seem to be public knowledge. For all we know the Instapaper (and pinboard, etc) servers could have been included in the warrant.

There's a FOIA request out for the warrant. I'll be curious to see it.


I'm guessing they could have asked to take the whole rack as to not have to tell the hosting company about the raid and risk alerting the target. They also did the raid in the middle of the night which shows they were probably trying to avoid alerting the target.

They probably didn't have anyway to know which machine it was just which rack it was. They also probably didn't have to tell the hosting company directly just the facility that they were raiding.

Even if it was indeed a necessary precaution (for which I have doubts), any innocent parties affected by this should be contacted for arranging a proper reimbursement and be issued an official apology, as soon as the operation was completed, and without them having to pursue it.

If he was sharing a physical machine with the bad guys, then yeah, sorry, that's collateral damage. However, if he was on his own separate leased machine, there is absolutely no reason for the FBI to seize it.

The problem is that with blade servers like DigitalOne provided, both of these things can be true at the same time.

Can you elaborate on this? Are there setups where a single virtual machine spans multiple blades?

I can certainly think of scenarios in which this action was reasonable from the FBI perspective.

I don't like to be in the position of defending the FBI (my own personal and professional relationship with them is complicated), but I think the following situation is plausible (which isn't to say it's what happened, as we don't know):

FBI determines the originating IP address of whatever their investigation is targetting (based on published information, it looks like a "scareware" operation").

FBI determines the IP address is "owned" by an overseas hosting provider, and that the physical servers are in a datacenter in the U.S.

FBI obtains a warrant for the seizure of all associated computing equipment (which may very well include the upstream devices used by the hosting provider).

FBI executes warrant at datacenter, sees that the servers are actually blades in a chasis; takes entire chasis (as reconstructing the data later on may require that the servers be bootable.)

The very last forensic case I worked involved having to acquire evidence from a server which was hosting a web application by a hosting provider. This was a shared hosting scenario, so in addition to acquiring the targeted information, all other customers on the server were also effectively offline (as the server was being imaged, and later as the original hard drives were entered as evidence).

Now, obviously, that isn't the exact same situation as what is described here, but in the event that the servers were blades, I don't think it's outside the realm of possibility to think that the entire chasis would need to be retrieved.

Consider an analogy. The FBI gets a valid warrant for the servers belonging to a company with a street address of "101 Main St, Somewhere, DC". The building at 101 Main St. is a multi-tenant, multi-story, office building.

If the FBI seized all the computer equipment in the entire building or even just the computers on the same floor as the targeted company but belonging to other companies who just happen to be physically adjacent to the targeted company, would it seem reasonable?

I don't think that would be reasonable, but I also don't think that is analagous.

For starters, that hypothetical search warrant is too broad to be executed.

Keep in mind, I'm not saying that I believe that the FBI executed this seizure correctly. I'm saying that based on third-hand limited information, I don't think it's possible to rule out the possibility that what they did was warranted.

If you showed up to perform this acquisition and were able to deduce that the targets you were going after were blades in an HP chasis in a specific rack, and let's say those blades aren't identifiable within the chasis (like oh say, maybe the IP address isn't noted), it might be within reason to take the chasis and all the blades for that specific chasis.

It might also be within reason that if you can identify which specific blades are part of your acquisition, you take those, and also the chasis they are plugged into (but not the other blades, although they are now sitting on a table in a datacenter somewhere, not plugged into anything).

All we know is that customers of that same provider who were stored in the same datacenter were taken offline. Marco doesn't actually know that his blade server was physically taken, he just knows that it was brought offline.

But you've simply pointed out the strength of the analogy. Siezing adjacent blades in a multi-tenant rack is just as nonsensical as siezing adjacent computers in a multi-tenant office.

Physical proximity is simply not a valid justification in either situation.

If the courts and/or the FBI are unable to understand this, the remedy is to get them educated and not to simply accept the consequences of overly-broad warrants or seizures.

I've agreed that the hypothetical search warrant you outlined would be too broad to be enforceable, but I disagree that the search warrant in this case was necesarilly this broad.

I'm not saying it wasn't, I'm saying that it is not a requirement that it was.

I disagree that siezing adjacent blades is just as nonsensical as seizing adjacent computers. I think it's unfortunate, and suboptimal; but I don't think they are the same.

If the search warrant had nothing to do with computers, let's say it was for a silver Motorola Razr. The FBI enters the premises and finds a bucket with ten silver Motorola Razr's. Their job is then to try and determine which specific Razr they are looking for. You can be sure that it's within the realm of possibility that they'd sieze all of them, and then later determine which ones are unrelated.

You can argue, "but then the search warrant should have to be more specific, it should have to have the serial number of the specific Razrs on it", to which I'd agree, that'd be nice. Computer-related search warrants are almost always executed with only the originating IP address and the location to which the IP address was established to be at.

Assuming that they took all the blades (which again, we have no idea one way or the other), I agree it would have been nice to know ahead of time that the specific blades associated with the target were X. I'm not sure that the lack of that specificity of information makes it impossible for them to execute the search warrant.

But basically we're lambasting the FBI for something we have no idea if they've even done, without any actual information about the contents of the raid. I'm trying to keep in mind that it's actually possible (even if not likely) that their actions in this raid were not incorrect.

It seems like either the FBI didn't pay attention to the information given to them by DigitalOne or DigitalOne had poor information about where their servers are located.

The picture painted here is that the FBI came in and hastily took a bunch of equipment without making sure they were taking the right stuff. If that is accurate, then it's likely they might have missed a server with data on it that they needed for their case. Moving quickly and causing collateral damage in a relatively safe environment where you actually have the time to triple check your work is inexcusable on all fronts.

I was under the impression that DigitalOne wasn't even informed (they were in sweden or something) until 3 hours after the incident (from the NYT article).

Or they don't trust that DigitalOne (or some employees of DigitalOne) aren't collaborating with their target.

this is not shared hosting. the server taken belonged to instapaper. being located in the same datacenter should not be grounds for seizure.

if you're looking for a metaphor, think about a self-storage facility ([one of these places](http://www.moversandpackers.org/wp-content/uploads/2010/10/s...). imagine you're renting one of those units, and somebody renting a unit on the other side of the yard is a drug dealer. the FBI comes in, and in the process of seizing the assets of the drug dealer across the yard, they also seize all the stuff in your storage unit. There is no way that is reasonable.

The server belonged to Digital One.

I didn’t own the hardware — I was leasing it from DigitalOne.

it belonged to instapaper. that's what leased means. if you lease a car or house or server or anything else, it belongs to you for the duration of the lease. and more importantly than the hardware, all the information on the server belonged to instapaper.

No it does not. I once lived in a house and the owner went bankrupt, they (the bank) seized the house immediately. How is that even possible if the house was mine that very moment?

I agree that the information belonged to Instapaper.

How does that matter? You also lease the storage locker...

No. Even if it was shared space, it should be possible to, through software and IT, extract the necessary data and bar it from further operation.

I think it's always important to remember that the first order of business in a raid is to preserve evidence against deletion or modification. This means that their first task is to remove the hardware from anybody's hands but theirs. At which point they can peruse the data as they are able.

Why did they take an entire rack, instead of a few servers? I can think of a couple of potential reasons. - VM's, which could potentially live on any physical server in a VM pool - Insufficient information on which physical servers belong to their suspects - They just don't trust the colo operators to not be involved, and thus limit the suspect data to the servers they provide.

While I wholly agree that it's unfortunate that Instapaper and Pinboard were affected, it's not an unexpected consequence of having your servers alongside (or on the same physical machines) of people you don't know.

No, the first order of business is to stay within the bounds of the law. It does not matter how solid your chain of evidence is if that evidence is illegally obtained.

It's doubtful the evidence was illegally obtained. The warrant was probably for the hardware, and was probably overly broad allowing for the removal of more than was necessary. That's been the routine since at least the mid 90s. There are plenty of cases where the FBI has walked into a data center shown a warrant and walked out with complete racks of equipment most unrelated to their actual search because the warrant allowed them to do so.

If the warrant allows them to do so then yes it is legal although we should hold judges accountable. Voting in responsible judges is more important than legislatures IMHO as they tend to have a more direct impact on our personal lives. That being said I just see a lot of comments mentioning the imperative to preserve evidence and chain of custody which is important but completely subordinate to staying within the bounds of the warrant. Does anyone here know if warrants can be obtained through FOIA requests? I would sure love to see the scope of the one used in this case.

You'll get no argument from me about holding judges accountable it's an interesting issue though. Was the warrant issued by a state or federal judge? Federal judges are appointed for life and not elected so the people can't exactly kick them out of office during the next election.

I don't think the IT skill required to reliably extract evidence from an arbitrary hosting operation (of potentially arbitrary complexity) is simply "on tap" for the FBI.

If you want to say "tough luck that's just what it costs to collect evidence in 2011", fine, but it's probably not fair to say that the FBI should just naturally have that capability.

In general the FBI is still operating in a pre-datacenter mindset when it comes to evidence acquisition.

It wasn't until 2007 that they updated the Handbook of Forensic Services[1] to no longer require seizing peripherals of suspected evidence. Think about that for a second, that means mice, keyboards, monitors, etc.

The team who worked on this raid ironically is part of the DOD CCC, which is a joint forensic lab setup between the DOD and the FBI (they have two labs, one in Maryland, who would have been involved in this raid, and one in California). That team certainly has some smart folks on it (they're the subject-matter-experts for forensic acquisition at the FBI), but if they've devised special procedures for dealing with datacenter or cloud forensics, they haven't been codified yet into the HFS.

[1] http://www2.fbi.gov/hq/lab/handbook/forensics.pdf

How is the DOD allowed to work on civilian law enforcement in any capacity?

I'm not sure exactly what you mean, but the Defense Department works with other government agencies and non-governmental agencies; and has for quite a long time.

One of these collaborations is responsible for you being able to type that comment and have it be readable by someone on another computer.

As to the specifics of the DOD CyberCrime center, it was set up in 98 to offer training/services to other law enforcement and counterintelligence agencies.

Basically, someone figured that instead of having to have each seperate agency stumble around in the dark dealing with cyber crime, they could pool resources and try to standardize. It's actually a pretty good example of getting rid of beaurocracy.

I was wondering about the interaction and how it fits with the Posse Comitatus Act.

My guess is that it is exempted by the Military Cooperation with Civilian Law Enforcement Agencies Act[1]


Yeah well, actions like this give the image of fat guys in suits who hunt and peck at the keyboard and move icons around on the desktop to find where they are hiding that dang data.

Should they get better forensics people? Absolutely.

But, steel yourself: a very good forensics pro would probably have them acquiring expansive warrants for hardware seizures, because very good forensics pros are paid to foresee all the crazy things colluding providers and criminals can do to hide evidence.

Unless you don't trust the hosting provider. Then their best bet is to take down the proper machines.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact