Warrant Used To Track Users Through Tor Invalidated

When it was revealed that an NIT (network investigative technique) had been used to track people across Tor, people were worried about just how they had got permission to deploy such a far sweeping piece of computer malware. It would now seem that the warrant issued didn’t give as much power as they wanted as a federal judge has now stated that the warrant should be invalidated because of its reach.

The federal judge in question sits in Massachusetts and stated that a magistrate issuing a warrant in Virginia cannot “authorize the search of a defendant’s computer located in Massachusetts”. This was noted in a 39-page opinion in which William Young stated that while it cannot be done, the Department of Justice and Congress could change the law in future. The end result of the opinion is the conclusion stating:

Based on the foregoing analysis, the Court concludes that the NIT Warrant was issued without jurisdiction and thus was void ab initio. It follows that the resulting search was conducted as though there were no warrant at all. Since warrantless searches are presumptively unreasonable, and the good-faith exception is inapplicable, the evidence must be excluded.

So ultimately the warrant for the NIT over stretched the bounds, something that has now led to a bunch of evidence being made null and void in a case where even Ahmed Ghappour, a law professor at the University of California, realized that the ” DOJ knew full well that the magistrate lacked authority to issue an out-of-district warrant”.

Microsoft Is Suing The US Government Over Cloud Data Searches

Microsoft is but one of many technology firms that have recently moved their focus from internal hard drives to the cloud, allowing people to access their data from anywhere in the world given the right details. The problem is other people also have access to this information, both legally and illegally and Microsoft is suing the US government over their attempts to force companies to remain quiet on the matter.

Microsoft has now filed a lawsuit against the Justice Department stating that it’s not just wrong but it’s “unconstitutional” that companies should be forced to remain silent when they are asked to hand over any data you might store in the cloud. In their complaint, Microsoft says that section 2705(b) of the Electronics Communications Privacy Act “sweeps too broadly” and effectively gives the government the power to gag companies, regardless of the reasons they are investigating someone. Microsoft even went so far as to name the number of secrecy orders they’d received in the past 18 months, a huge number sitting at almost 2,600.

The best part of almost 2.6 thousand secrecy orders, was that over two-thirds would never run out thanks to them containing “no fixed end date”. The end result is clear, Microsoft wants section 2705(b) ruled as unconstitutional and removed, a judgment that would affect every technology company based on the internet these days thanks to the broad range of uses that the cloud is utilized for.

Recently Reddit removed their Warrant canary, giving users a legal warning that the government had requested access to at least some of their information (possibly). While other companies, such as Apple has been arguing with the FBI over who and where the line should be drawn for gaining access to devices and the steps they can make companies provide to open the door for them.

iPhone Unlocked By Fingerprint Because Of A Warrant From The LAPD

While we were so focused on the Apple Vs FBI court battle that was going on, it would seem that the FBI were up to their usual tricks. I refer to the first known case where a user was made to unlock their iPhone by fingerprint because of a warrant.

The court case was overseen by a Virginia Beach Circuit Court Judge who agreed that David Charles Baust could not be forced to hand over his iPhones passcode. The judge did say he could be compelled to supply his biometric information to unlock the device, though, a measure that seems very similar in its outcome.

The warrant issued allowed an LAPD agent to visit the premises of Baust and a Paytsar Bkchadzhyan and acquire a fingerprint for the purposes of unlocking the iPhone, a trick that can be mimicked with something as simple as Play-Doh. The warrant contains the line “Law enforcement personnel are authorized to depress the fingerprints and/or thumbprints of the person covered by this warrant onto the Touch ID sensor of the Apple iPhone seized… on 25 February”. The inventory of the property taken in the search doesn’t even help narrow down what they searched for, as they state “PAYTSAR BKCHADZHYAN – FINGERPRINT ON IPHONE DEVICE”, a rather ambiguous term when keeping track of something.

The fingerprint didn’t help as after 48 hours of not unlocking your iPhone with touch ID requires that you enter your passcode anyway, a piece of information that the Judge had already ruled out being forced from the suspect.

This could have repercussions, such as in the case where a person from England is being asked to unlock his device over a case that could see him tried in America, where you could be seen as providing evidence against yourself by providing something like your biometric information or passwords. These are all protected in America under the fifth amendment, the right to not incriminate yourself.

Judge Says Stingrays “Are Simply Too Powerful” Without Rules

Stingrays have become one of the most contested ways of digital surveillance since they became public knowledge last year. The devices act like mobile phone towers, simulating their actions while allowing them to intercept and identify the devices connecting to them. The problem many have seen with this device is that they are not selective, they do not target a specific person or phone because the technology does not work like that, this means that when one goes up all mobile devices in the area send their information to the tower. This provides the tower with their location but can also be used to intercept calls and text messages sent by any devices in the nearby area. A judge in Illinois has made a stand and said that unless his three requirements are met, he will not authorise the use of a stingray.

The first requirement is that the stingrays require a warrant to be used, a claim that has been highly contested and was originally an issue given that some law enforcement agencies have used the device hundreds of times without any government oversight.

The second requirement is that the data collected (which is not relevant or approved by the warrant) is “immediately destroyed” and this action is proven to the court.

The third requirement is that the devices cannot be used in areas where a large number of mobile phones will be active, such as at a public sporting event or large gathering.

These steps could be the first sign of a powerful device being controlled and monitored rather than deployed without thought of the freedom and privacy of others around it.

California’s Legal System Now Supports Digital Privacy

In recent years, there has been a big uproar courtesy of a certain reveal by a man named Edward Snowden, regarding digital privacy. To be more precise, it was about the lengths that groups went to in order to avoid any legal requirements when it came to accessing and using your personal information. The Electronic Communications Privacy Act looks to be the first, and hopefully the first of many, to enforce a legal right to digital privacy.

Governor Gerry Brown signed the Act taking it into full effect and I have no doubt that a wide variety of people will be happy about it. The Electronics Communications Privacy Act states that any, I repeat, any state law enforcement agency or any other investigative entity are required to have a warrant in order to obtain digital information (including information stored in the cloud, such as emails or text messages) and that they cannot ‘compel’ businesses to hand over this information without a warrant. It doesn’t end there though if they want to use your GPS to track you or even to search your phone, they will need a warrant for that too.

While not the first to outline in a legal document the requirement of a warrant for your data, or even your location, it is the first to cover things like metadata and your device searches. Many hope that this could be the first of many laws, with other states taking up their own versions of the Electronics Communications Privacy Act or pushing for these conditions to be placed on a national scale, affecting all agencies regardless of state.

Thank you Wired for the information.

Image courtesy of Falkvinge

North Dakota Police Will Utilize Weaponised Drones

Drones used to be a thing of the future, small robotic creatures that would fly around and swarm the skies. They would be included in Hollywood blockbusters such as Terminator and even the ones where they help us survive such as in Transformers. With devices that can seek and destroy from ground level to your forty story apartment, they were quickly developed and created for everyday tasks. Now with thanks to a lobbyist from Dakota the first drones with weaponry might soon see deployment.

With recent years, fears over drones carrying weapons are known to have caused a ruckus in many circles, with people like Steven Hawking requesting that drones avoid automation in order to reduce the threat from them. The Rick Becker’s bill would have seen that all drones in Dakota could not be equipped with weaponry, but an amendment by Bruce Burkett of the North Dakota Peace Officer’s Association, has banned the drones from carrying anything deemed a lethal weapon. This means that less lethal tactics such as pepper spray, tear gas, sound cannons and even Tasers could soon see deployment at the bottom of a drone.

The initial bill was created to force police to obtain a warrant before using a drone to collect evidence while also banning weaponising the free flying devices. With this sudden escalation, all eyes will be on the Dakota police and how they choose to deploy drones with anything other than a camera.

Thank you The Daily Beast for the information.

Image courtesy of Gary Friedman (Los Angeles Times).

Government Looking for Exploits in Anti-Virus Software to Use Against You

Snowden’s latest leaked documents point to government agencies such as the NSA and GCHQ taking an interest in tracking user activity and spying on networks. However, to do that, they have to get one piece of software out-of-the-way; the anti-virus. This also seems to link with an earlier incident at Kaspersky Lab, where their headquarters was hacked by an unknown and well-equipped group.

The government agencies are said to be using a process named Software Reverse Engineering to gain access to vulnerabilities still present in current anti-virus products. One of the latest warrants GCHQ wants to approve, according to The Intercept, even states that Kaspersky poses a threat to its SRE program.

Other methods of intercepting and gaining access to anti-virus software databases consist of finding and exploiting employee emails that work in anti-virus companies. In addition, user PCs are targeted for HTTP requests sent to anti-virus headquarters, containing relevant security vulnerabilities found by their anti-virus suites.

To support the above claim, The Intercept also came across a GCHQ presentation where it shows that around 100 million malware events are flagged daily by the government agencies. The same approach might be found in every government agency, so at least we get another peek at what’s going on and how ’secure’ we are.

In the end, is targeting and ‘cracking open’ anti-virus software really a good solution? From my point of view, the GCHQ should hire Kaspersky Lab to design their network security if they are as good as they say they are. What do you think?

Thank you TechCrunch and The Intercept for providing us with this information

US Law Enforcement Offer $3M Reward for Gameover ZeuS Botnet Suspect

The U.S. Department of Justice and the Department of State’s Transnational Organized Crime Rewards Program is offering a $3 million reward for information that leads to the arrest or conviction of Evgeniy Mikhailovich Bogachev, the man suspected of being the administrator of the devastating  peer-to-peer botnet Gameover ZeuS.

The Gameover ZeuS botnet target banks and other financial establishments, infecting over 1 million computers and stealing more than $100 million. The DOJ managed to disrupt Gameover ZeuS last Summer.

Bogachev has made it to the FBI’s Cyber Most Wanted List and is thought to be still living in his Russian homeland. The DOJ suspect Bogachev of being the leader of a “tightly knit gang” of Russian cybercriminals, developing and operating the Gameover ZeuS and Cryptolocker malwares.

Assistant Attorney General Leslie Caldwell said, “One significant part of the puzzle remains incomplete, as Bogachev remains at large. Although we were able to significantly disrupt the Gameover Zeus and Cryptolocker criminal enterprise, we have not yet brought Bogachev himself to justice.”

Source: Computer World

Microsoft Ordered by Judge to Submit Customers Emails from Abroad

Microsoft Corp was ordered on Thursday by a U.S. government judge to turn over a customer’s email that is stored in a data center in Dublin, Ireland. The case has already drawn concern from privacy groups and major technology companies around the world.

Microsoft and other U.S. companies had challenged the original warrant, arguing it improperly extended the authority of federal prosecutors to seize customer information held in foreign countries.

District Judge Loretta Preska said after the 2 hour hearing in New York, that a search warrant approved by a federal magistrate judge required the company to hand over any data it controlled, regardless of where it was stored. “It is a question of control, not a question of the location of that information,”

The case seem to be the first in which a corporation has challenged a U.S. search warrant seeking data held abroad and the judge said she would temporarily suspend her order from taking effect to allow Microsoft to appeal her decision to the 2nd U.S. Circuit Court of Appeals.

A number of technology companies came to Microsoft’s assistance and filed court briefs in support, including AT&T Inc, Apple Inc, Cisco Systems Inc and Verizon Communications Inc.

The companies are worried that they could lose billions of dollars in revenue to foreign competitors if customers fear their data is subject to seizure by U.S. investigators anywhere in the world. It is unclear which agency issued the warrant because the warrant and all related documents are sealed.

Thank you Reuters for providing us with this information

Image courtesy of Microsoft