This sounds a lot like the 'general warrants' which helped spark the first American revolution.
LA is tracking cars through cameras / license plate detection. In response to an FOIA request for details on the tracking, their response was that all the data was part of an "active investigation" and would not be disclosed. I think this was the first time a city has tried to hide details of a surveillance dragnet like this, across an metro area, by claiming basically the entire city was being actively investigated. [1]
In that light, this development is extremely concerning, and I can only hope the judiciary will push back hard to protect some semblance of the 4th. The average person doesn't typically consider themselves a target, but as the number of dragnets increase, and if the Feds can perform mass-hacking of our personal devices where the results are directly admissible in court (putting aside parallel construction for a moment) this mentality will have to change.
The writing has been on the wall for a while, but there's always been some comfort that at least the mass surveillance wouldn't be admissible. Now you start to see, we're getting boiled like frogs. The direction this is all going leads up to a very draconian future just 5 - 10 years out. I'm not sure there's any way to stop it, I don't think enough of the American people can get their heads around how this is cyanide to a free society.
It's not enough to campaign, vote, or even lobby. We need to form a vanguard party and run our own candidates and get them elected.
We should think more broadly than just legislators and chief executives. Consider sheriffs, judges (where they're elected), district attorneys, city controllers, public utilities commissions, etc.
Ideally, clever technology. We can at least try to stop digital dragnet surveillance with better technology. It might be possible to frustrate physical dragnet surveillance the same way.
As a fallback, there's always violence if people get pissed off enough.
A couple weeks ago, when I asked someone how to verify on demand that a BIOS isn't compromised, someone else quipped "Could be the processors too, better forge those by hand." https://news.ycombinator.com/item?id=7609780
In fact, it turns out the future is probably headed in that direction. All mobile phones are already compromised; every phone has a proprietary baseband chip with full remote DMA access that no amount of open software running on your phone can stop. And as laptops become more and more mobile, it's going to seem strange that we've spent so long trying to tether our mobile phones to our laptops. Perhaps future laptops are going to have 3G access embedded right into them which consumers can subscribe to for some low monthly fee. Consumers would probably love it, because it's very enticing: you get internet access in most of the world without having to find a public hotspot or tether your phone. No more dealing with hotel wifi; no more dealing with logging in to someone else's.
The takeaway is that your children may grow up in a world where it's impossible to guarantee the government can't get into your computer if it really wanted to. Desktop computers aren't ever going to go away, but hardware design seems to be trending towards having built-in theft prevention. One feature of theft prevention is having the ability to locate the computer, or send it remote kill signals. If trends like that do catch on with consumers, it's "gg no re," because once our hardware is compromised to the point of third parties being able to remotely access it on demand, we've all lost something precious, and there won't be any opportunity to fix it. The more I think about it, the more it seems like it's just a matter of time until this happens, precisely because once it's here, it's never going away.
More and more network adapters seem to have DMA access to your computer. It would be interesting if the protections afforded by open source software were defeated at the hardware level without most people noticing. There doesn't seem to be any way to defend against it, because open source hardware simply can't survive: no money is necessary to develop open source software, whereas large investment would be necessary for development of open source hardware down to the chip level.
> The takeaway is that your children may grow up in a world where it's impossible to guarantee the government can't get into your computer if it really wanted to.
If your adversary is a well funded government you need to have:
Secure software
Secure firmware
Secure hardware
Secure staff who follow procedure
Secure location
Armed guards
Etc
Most people can not do all of this and this have been vulnerable to governments for a long time.
Suggesting that your mobile communications data was ever secure when it was available to your telecoms provider seems odd to me.
> The takeaway is that your children may grow up in a world where it's impossible to guarantee the government can't get into your computer if it really wanted to.
This is impossible to guarantee today. Certainly if you run the zero-day magnets known as browsers, and even if not, there is always some possibility of physical intrusion.
> More and more network adapters seem to have DMA access to your computer.
With an IOMMU (VT-d or equivalent on other platforms), it should be possible to protect against malicious DMA from any source.
Also, not all phones have basebands with DMA access to main memory. I think iPhones do not, though I am not sure, and some older iPhones have been attacked by turning on "auto answer", demonstrating direct access to the microphone.
The takeaway is that your children may grow up in a world where it's impossible to guarantee the government can't get into your computer if it really wanted to.
The government has always had access to everything if they a) really wanted to and b) had just cause. That's why search warrants, tailing suspects, court-approved phone taps, bank account freezes, etc etc etc exist.
The notion that the government ought to not be allowed into your computer, ever, doesn't seem grounded in either reality or historical precedent.
> Perhaps future laptops are going to have 3G access embedded right into them which consumers can subscribe to for some low monthly fee.
We're getting bit off topic here, but my colleague has a 2-year old Sony Vaio laptop that has this. He also has a SIM card for it that came for free with his €50,- internet/tv subscription (incl more monthly GBs than he needs).
Wow, well I just had a moment of self-reflection on what a Pollyanna I am...my first thought at reading the headline was, "Oh good, now people like Aaron Swartz can't be threatened with 15 year prison sentences, or (in other cases) become felons for violating certain interpretations of Terms of Service". And of course, it is not that.
Didn't these folks take an oath to defend the US constitution? This pretty clearly violates 4th Amendment protections against unreasonable search and seizure.
Yes, I'm not a lawyer, so I don't know what "doctrine", "touchstone" or "Three Pronged Test" makes the clearly unconstitutional into something lawfully constitutional, but that's a lawyer problem.
Beyond practical considerations, like this makes the FBI into an ethically dubious organization, doesn't doing this kind of thing grate on lawyers and officers who take very solemn oaths against doing bad things? Clearly, this will have undesired side effects, and make the police into something even less trustworthy than they already are.
Out of curiosity- all I see in the news & on the boards is backlash against the government when these sorts of programs come up. Can anyone provide thoughtful suggestions on how the fundamental adaptation the feds are seeking- improved ability to conduct digital espionage- could be implemented in a positive way?
I do think the notion that traditional rules for search & seizure need to be updated for the modern age might hold some water. For example, destruction of evidence has become easier, and catching someone "in the act" is probably harder.
I don't believe in the idea that the feds should have zero access & zero surveillance ability. Unfortunately I am unsure how to give the ability to match (in spirit, not in letter) the functions they have in the real world without incurring a big privacy hazard.
"...no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
I'm tickled that they're actually getting warrants sometimes, but this sort of warrant doesn't sound like it would meet that test.
If you can't describe a physical location of your search, you're opening up all sorts of potential for mischief that would play off the technical ignorance of some judges and the inherent interconnectedness of the Internet.
"Machines connecting to the target machine or relaying traffic for the target machine", etc.
You have to be pretty smart guy to become a judge and pass the whole confirmation grilling.
And from what I have seen recently a some of the judiciary have picked up enough tech know how to not be fooled into rubber stamping.
But you need wide programs to change the culture of the police departments and prosecutors. If I was doing my job/followed orders is not acceptable excuse at trial it cannot justify put the criminal behind bars by any means necessary.
“The proposed amendment would enable investigators to conduct a search and seize electronically stored information by remotely installing software on a large number of affected victim computers pursuant to one warrant issued by a single judge”
I wonder if we'll start to see researchers/people come across more of things like this in the wild? Which makes me wonder if federal agents are going to be enlarging the attack surface against their own systems?
I believe there have already been at least 2 cases of the FBI using the very mass exploitation technique discussed in the article. The 2012 investigation dubbed "Operation Torpedo"[0] and the Freedom Hosting exploit in 2013 dubbed "Torsploit"[1].
There were 25 arrests in the first operation and those suspects are currently fighting the search warrant because the FBI failed to give notice to the those who had the virtual search warrant executed on them within the required 30 days.
Nothing has really come of the second operation (after over 10 months now) except for an arrest of someone the FBI was able to identify without the help of their exploit (they used the same user name on Tor as they did on the clearnet).
If your quote means that one warrant can force a victim of hacking to install FBI spyware on their systems, this is very troubling, and seems like it would dissuade many organizations from reporting a hack at all, because the cure will be worse than the disease
I think this violates the 3rd Amendment too. The government wants to (among other things) be able to secretly monitor laptop cameras of people never suspected of wrongdoing. That's basically an electronic-age version of this 3rd Amendment case: http://www.volokh.com/2013/07/04/a-real-live-third-amendment...
So if a botnet operator infects my machine, gaining access to my files... and then the FBI gets a warrant to install further software on my machine, ostensibly to investigate the people operating the botnet, haven't they just gotten a "warrant" that entitles them to everything on my machine, independent of who owns it?
"secretly access suspected criminals’ computers in bunches, not simply one at a time."
Note the word "suspected". I really don't think its a good idea to have a legal standard granting authority to a government worker when that standard is based to one degree or another on the level of that government worker's paranoia.
Sometimes I wish law enforcement would just suck it up, grow some balls and start pushing for the wholesale repeal of the 4th amendment by constitutional amendment. I mean, stop fucking around guys - I thought you guys were tough.
[+] [-] zaroth|12 years ago|reply
LA is tracking cars through cameras / license plate detection. In response to an FOIA request for details on the tracking, their response was that all the data was part of an "active investigation" and would not be disclosed. I think this was the first time a city has tried to hide details of a surveillance dragnet like this, across an metro area, by claiming basically the entire city was being actively investigated. [1]
In that light, this development is extremely concerning, and I can only hope the judiciary will push back hard to protect some semblance of the 4th. The average person doesn't typically consider themselves a target, but as the number of dragnets increase, and if the Feds can perform mass-hacking of our personal devices where the results are directly admissible in court (putting aside parallel construction for a moment) this mentality will have to change.
The writing has been on the wall for a while, but there's always been some comfort that at least the mass surveillance wouldn't be admissible. Now you start to see, we're getting boiled like frogs. The direction this is all going leads up to a very draconian future just 5 - 10 years out. I'm not sure there's any way to stop it, I don't think enough of the American people can get their heads around how this is cyanide to a free society.
[1] - https://www.eff.org/deeplinks/2014/03/los-angeles-cops-argue...
[+] [-] noblethrasher|12 years ago|reply
It's not enough to campaign, vote, or even lobby. We need to form a vanguard party and run our own candidates and get them elected.
We should think more broadly than just legislators and chief executives. Consider sheriffs, judges (where they're elected), district attorneys, city controllers, public utilities commissions, etc.
[+] [-] wyager|12 years ago|reply
Ideally, clever technology. We can at least try to stop digital dragnet surveillance with better technology. It might be possible to frustrate physical dragnet surveillance the same way.
As a fallback, there's always violence if people get pissed off enough.
[+] [-] devconsole|12 years ago|reply
In fact, it turns out the future is probably headed in that direction. All mobile phones are already compromised; every phone has a proprietary baseband chip with full remote DMA access that no amount of open software running on your phone can stop. And as laptops become more and more mobile, it's going to seem strange that we've spent so long trying to tether our mobile phones to our laptops. Perhaps future laptops are going to have 3G access embedded right into them which consumers can subscribe to for some low monthly fee. Consumers would probably love it, because it's very enticing: you get internet access in most of the world without having to find a public hotspot or tether your phone. No more dealing with hotel wifi; no more dealing with logging in to someone else's.
The takeaway is that your children may grow up in a world where it's impossible to guarantee the government can't get into your computer if it really wanted to. Desktop computers aren't ever going to go away, but hardware design seems to be trending towards having built-in theft prevention. One feature of theft prevention is having the ability to locate the computer, or send it remote kill signals. If trends like that do catch on with consumers, it's "gg no re," because once our hardware is compromised to the point of third parties being able to remotely access it on demand, we've all lost something precious, and there won't be any opportunity to fix it. The more I think about it, the more it seems like it's just a matter of time until this happens, precisely because once it's here, it's never going away.
More and more network adapters seem to have DMA access to your computer. It would be interesting if the protections afforded by open source software were defeated at the hardware level without most people noticing. There doesn't seem to be any way to defend against it, because open source hardware simply can't survive: no money is necessary to develop open source software, whereas large investment would be necessary for development of open source hardware down to the chip level.
[+] [-] DanBC|12 years ago|reply
If your adversary is a well funded government you need to have:
Secure software
Secure firmware
Secure hardware
Secure staff who follow procedure
Secure location
Armed guards
Etc
Most people can not do all of this and this have been vulnerable to governments for a long time.
Suggesting that your mobile communications data was ever secure when it was available to your telecoms provider seems odd to me.
[+] [-] comex|12 years ago|reply
This is impossible to guarantee today. Certainly if you run the zero-day magnets known as browsers, and even if not, there is always some possibility of physical intrusion.
> More and more network adapters seem to have DMA access to your computer.
With an IOMMU (VT-d or equivalent on other platforms), it should be possible to protect against malicious DMA from any source.
Also, not all phones have basebands with DMA access to main memory. I think iPhones do not, though I am not sure, and some older iPhones have been attacked by turning on "auto answer", demonstrating direct access to the microphone.
[+] [-] sliverstorm|12 years ago|reply
The government has always had access to everything if they a) really wanted to and b) had just cause. That's why search warrants, tailing suspects, court-approved phone taps, bank account freezes, etc etc etc exist.
The notion that the government ought to not be allowed into your computer, ever, doesn't seem grounded in either reality or historical precedent.
[+] [-] aliakbarkhan|12 years ago|reply
The future is now.
http://www.dell.com/learn/us/en/19/campaigns/4g-3g-mobile-br... http://www.amazon.com/Samsung-XE303C12-H01US-Chromebook-3G-1... http://www.bestbuy.com/site/mobile-phones/mobile-broadband-c...
[+] [-] skrebbel|12 years ago|reply
We're getting bit off topic here, but my colleague has a 2-year old Sony Vaio laptop that has this. He also has a SIM card for it that came for free with his €50,- internet/tv subscription (incl more monthly GBs than he needs).
[+] [-] zerohp|12 years ago|reply
http://en.wikipedia.org/wiki/System_Management_Mode
[+] [-] somnabulis|12 years ago|reply
[+] [-] danso|12 years ago|reply
[+] [-] masonhensley|12 years ago|reply
[+] [-] bediger4000|12 years ago|reply
Yes, I'm not a lawyer, so I don't know what "doctrine", "touchstone" or "Three Pronged Test" makes the clearly unconstitutional into something lawfully constitutional, but that's a lawyer problem.
Beyond practical considerations, like this makes the FBI into an ethically dubious organization, doesn't doing this kind of thing grate on lawyers and officers who take very solemn oaths against doing bad things? Clearly, this will have undesired side effects, and make the police into something even less trustworthy than they already are.
[+] [-] dragontamer|12 years ago|reply
Everyone seems to forget about the "Probable Cause" line.
[+] [-] sliverstorm|12 years ago|reply
I do think the notion that traditional rules for search & seizure need to be updated for the modern age might hold some water. For example, destruction of evidence has become easier, and catching someone "in the act" is probably harder.
I don't believe in the idea that the feds should have zero access & zero surveillance ability. Unfortunately I am unsure how to give the ability to match (in spirit, not in letter) the functions they have in the real world without incurring a big privacy hazard.
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] ipsin|12 years ago|reply
I'm tickled that they're actually getting warrants sometimes, but this sort of warrant doesn't sound like it would meet that test.
If you can't describe a physical location of your search, you're opening up all sorts of potential for mischief that would play off the technical ignorance of some judges and the inherent interconnectedness of the Internet.
"Machines connecting to the target machine or relaying traffic for the target machine", etc.
[+] [-] venomsnake|12 years ago|reply
And from what I have seen recently a some of the judiciary have picked up enough tech know how to not be fooled into rubber stamping.
But you need wide programs to change the culture of the police departments and prosecutors. If I was doing my job/followed orders is not acceptable excuse at trial it cannot justify put the criminal behind bars by any means necessary.
[+] [-] cinquemb|12 years ago|reply
I wonder if we'll start to see researchers/people come across more of things like this in the wild? Which makes me wonder if federal agents are going to be enlarging the attack surface against their own systems?
[+] [-] zeroday01|12 years ago|reply
There were 25 arrests in the first operation and those suspects are currently fighting the search warrant because the FBI failed to give notice to the those who had the virtual search warrant executed on them within the required 30 days.
Nothing has really come of the second operation (after over 10 months now) except for an arrest of someone the FBI was able to identify without the help of their exploit (they used the same user name on Tor as they did on the clearnet).
[0]: http://www.wowt.com/news/headlines/Fed-Tactics-on-Trial-in-P...
[1]: http://www.propublica.org/nerds/item/is-the-u.s.-government-...
[+] [-] nitrogen|12 years ago|reply
[+] [-] logn|12 years ago|reply
[+] [-] ipsin|12 years ago|reply
[+] [-] tom_jones|12 years ago|reply
Note the word "suspected". I really don't think its a good idea to have a legal standard granting authority to a government worker when that standard is based to one degree or another on the level of that government worker's paranoia.
[+] [-] javajosh|12 years ago|reply