Forgot your password?
typodupeerror
United States Your Rights Online

Too slow! FBI Shuts Down Hosting Service 928

Posted by timothy
from the shades-of-steve-jackson dept.
Chope writes "If FBI agents showed up at your data center bearing a warrant, would you be able to provide them prompt access to customer data? BZZZZT! I'm sorry, but you've taken too long to answer. We'll be confiscating all the hardware you use, er, used to use, to run your business. But we'll get it back to you 'real soon now.' Thank you for playing. CarrierHotels.com is carrying the story of a FBI raid on a web hosting company. When the hosting company didn't and/or couldn't provide the information the FBI was looking from its several terabytes of data within "several hours", the FBI decided it was more "efficient" to seize all the web servers and customer data as part of the FBI's investigation of a hacking incident."
This discussion has been archived. No new comments can be posted.

Too slow! FBI Shuts Down Hosting Service

Comments Filter:
  • by Anonymous Coward on Tuesday February 24, 2004 @08:36AM (#8372148)
    someone had to say it..
    • by LittleBigLui (304739) on Tuesday February 24, 2004 @09:02AM (#8372302) Homepage Journal
      someone had to say it..
      ... and judging by the finely crafted grammar, bush did. :)
    • by GodBlessTexas (737029) on Tuesday February 24, 2004 @09:31AM (#8372493) Journal
      I hate to be the bearer of bad news, but the FBI has been doing this in computer crime cases since the last few years of the Clinton administration under that bastion of civil liberties (nevermind Waco, Ruby Ridge, or Elian Gonzalez) Janet Reno, and it didn't require several TB of potential evidence to make it happen.

      The FBI will attempt to work with any provider in order to get the data they need to investigate a crime. If that is impossible to do in a 'reasonable amount of time' they have little choice but to confiscate the equipment in order to copy the existing data from the machines to conduct a forensic investigation. A reasonable amount of time is generally a couple of hours to a day. Believe me, the last thing some poor special agent wants to do is sift through TBs of customer crap and put a company out of business or under financial hardship.

      • by sjames (1099) on Tuesday February 24, 2004 @09:58AM (#8372691) Homepage

        Doing some simple math, with a decentish disk controller, it will take 3 hours just to stream 1TB from disk to /dev/null. That assumes that the data is perfectly sequential and that no 'analysis' (such as accessing in a filewise manner, looking for a particular name of other data within the stream, etc).

        Touching the data at all will easily double that to 6 hours. Add in more time because the volume is probably archival (read slower) rather than being set up as an enterprise DB system. Add even more since the server has other things to do running the business.

        Most likely, what they were after was logs. Logs tend to be optimized to be stored quickly rather than for fast access. After all, logs are being stored constantly, but unless something unexplained is going wrong, they aren't analyzed at all. When they are analyzed, it's usually one of a handful of standard reports (such as logins, changes to suid, etc) and is only done over a reletivly short span of time.

        Given the above, and that there were multiple TB of data to sift, it is not even vaguely reasonable to expect a complete result in less than several days.

        If this report is even vaguely factual, I sincerely hope the person who made the decision to sieze is forced to spend the remaining years of his career in the basement sifting through endless lines of:

        1337 d00d> D000dZ! I R s0 1337!

        To the best of my knowledge, there is no posibility of an all encompassing regular expression that can translate 1337 to english.

        • by DarkMan (32280) on Tuesday February 24, 2004 @10:56AM (#8373225) Journal
          To the best of my knowledge, there is no posibility of an all encompassing regular expression that can translate 1337 to english.


          Not a perfect translation, no.

          However, with a context free grammar (!) and some herustics with a spell checking engine, you can get conversion to something that is much more readable.

          For example, I ran
          1337 d00d> D000dZ! I R s0 1337!


          through my munging engine and got
          leet dude> Dudes! I are so leet!


          (I prefer to leave 1337 as leet, cos I don't think it's really transatable to formal english.) It's not perfect, but the time to read drops down to something approaching printed english.

          More relevently, as one can learn to read 1337 and other forms of munged english to the same speed as normal text, this step drastically cuts the learning time down, to about 20 minutes (for me, anyway).

          So, what you say was strictly correct, but for practical purposes, the majority of it can be fixed. Certinally, for review by people not familar with it, it's handy. Still needs to have the original check, of course, but that would always have to happen anyway.
      • by Tackhead (54550) on Tuesday February 24, 2004 @11:17AM (#8373439)
        > Believe me, the last thing some poor special agent wants to do is sift through TBs of customer crap and put a company out of business or under financial hardship.

        First part true. Separating the wheat from the chaff is a pain and slows the investigation. (Unless you can use the wheat for future investigations, but the Agents aren't getting paid to go on fishing expeditions yet.)

        Second part untrue. What makes you think the Agents gives a flying fsck through a rolling doughnut about collateral damage to some business he's never heard of and isn't paid to protect?

        I mean, what's the collateral damage gonna do? Sue an Agent? (Score +6, Funny) Sue the Agent's employer? (Score +7, Hysterical) And what if through some sick twist of fate, they win such a suit? (Score -8, Witness of Evolution In Action).

        There's three kinds of people in the world. Cops, perps, and perps who haven't been caught. Power corrupts, but power without accountability is an awful lot of fun.

        If you're in college, consider majoring in Criminal Justice and joining the winning side. You can be under the gun, or you can hold the gun. Better to be a killer than a victim.

        • Exactly (Score:5, Interesting)

          by macdaddy (38372) on Tuesday February 24, 2004 @01:27PM (#8374953) Homepage Journal
          Second part untrue. What makes you think the Agents gives a flying fsck through a rolling doughnut about collateral damage to some business he's never heard of and isn't paid to protect?

          Right on target. In my experience the FBI couldn't give a rats ass about causing the least amount of colateral damage or returning your siezed property. In 2001 (I believe that's right) the FBI siezed a Sun 20 from a lab at a University I worked for. The lab was less than maintained. It was full of SGIs that were vulnerable to every possible exploit for the last 5 or 6 years. It was a joke really. The Sun was also unmaintained. I pointed out to my super 10 months before the siezure that the Sun was an open relay and had services running that shouldn't be (I still have that email!). Nevertheless it wasn't touched for 10 months. Right about the time I volunteered to help the lab maintainer get everything up to date and secure again the FBI came in and siezed the Sun. It apparently was used for something bad. I haven't been with that University for a while now but last I knew it still hadn't been returned. The FBI couldn't give a rat's ass about causing the least amount of colateral damage. Their actions speak for themselves. What if the machine used for the attack (or probe for that matter) was the Unv's mail server? It was poorly maintained too and had been hacked before. What if an attacker used it as a launching pad for an attack. Would the FBI sieze that piece of state property, effecting bringing email on campus to a complete halt? It's sad really to think about it.

      • by rudedog (7339) <dave&rudedog,org> on Tuesday February 24, 2004 @11:43AM (#8373756) Homepage
        Given that Randy Weaver's wife was shot at Ruby Ridge in August 1992, I'm wondering how this is Bill Clinton's and Janet Reno's fault. Or was Bill somehow responsible for this even while he was still governor of Arkansas?
      • by ikeleib (125180) on Tuesday February 24, 2004 @11:44AM (#8373769) Homepage

        Believe me, the last thing some poor special agent wants to do is sift through TBs of customer crap and put a company out of business or under financial hardship.

        It's far more serious than simply putting a financial hardship on the data center and their customers. It is entirely possible that the FBI has gone beyond the authority granted to them in the warrant. Their warrant only allows them to search and sieze specific items related to a crime.

        It is highly likely that by siezing all machines and data of a commercial data center, that they have deprived several customer of their due process of law (5th) and freedom from search and siezure (4th).

  • Poor hosting company (Score:5, Interesting)

    by Anonymous Coward on Tuesday February 24, 2004 @08:38AM (#8372159)
    The poor hosting company probably has ToS to live up to. This will ruin them.

    If nothing is found, will they have any recourse against the FBI or are they screwed?
    • by LostCluster (625375) * on Tuesday February 24, 2004 @08:56AM (#8372272)
      The poor hosting company probably has ToS to live up to. This will ruin them.

      Law always beats a ToS. If the FBI comes with a warrant for a piece of customer data, you've got to turn it over even if your ToS/Privacy Policy says you won't. To avoid getting caught in this jam, include a statement saying you'll turn over anything to any authority who presents a proper warrant.

      If their business was based on not turning anything over to the spooks, well, so much for that idea.
      • by carou (88501) on Tuesday February 24, 2004 @09:09AM (#8372340) Homepage Journal
        If their business was based on not turning anything over to the spooks, well, so much for that idea.

        I think the parent was probably referring to uptime guarantees, which the confiscation of equipment has caused the ISP to fail on, rather than anything to do with data privacy.
  • by devilkin (539677) on Tuesday February 24, 2004 @08:38AM (#8372160) Homepage
    And what if you run your website on those servers for commercial use? Will the FBI refund the finanial damage you suffered (e.g. when you run a webshop or smthing)?
  • FBI?? (Score:4, Funny)

    by Ratface (21117) on Tuesday February 24, 2004 @08:41AM (#8372167) Homepage Journal
    If the FBI shoed up at my door... there would be a hell of an international incident as I live in Sweden (you insensitive clod!)
  • I wonder... (Score:5, Insightful)

    by millahtime (710421) on Tuesday February 24, 2004 @08:42AM (#8372175) Homepage Journal
    if CIT might have been uncooperative. This article is very one sided and if it was taking hours and they weren't seeing it get anywhere then there might have been a legitimate problem. I don't know if taking the servers was the best solution but if they did it then there must have been something going on.
  • by Anonymous Coward on Tuesday February 24, 2004 @08:43AM (#8372182)
    Last year I found the a controller of the proxy that was installed on a NT workstation happened to be controlled out of the same data center that was shut down. That machine was telling the NT box to send out massive amounts of spam.

    This is about the last data center on earth where script-kiddies can get free shell accounts.

    This is a case were many servers got caught in the crossfire aginst the script kiddies and spamers.

  • by queen of everything (695105) on Tuesday February 24, 2004 @08:44AM (#8372189) Homepage

    There has to be more to this story. From what the article says, the FBI just walked in and shut them down. While that might have happened this story seems to be extremely one sided and a little short on the detail.

    Initially, I don't like the sound of it at all given that I host several domains and don't want the FBI coming in and taking all of my servers. But, we don't know what led up to the seizure....maybe it was a legitimate action? We shouldn't judge too harshly until we have all the information. I'm trying to play devil's advocate here.

    • by shyster (245228) <brackett@[ ].edu ['ufl' in gap]> on Tuesday February 24, 2004 @09:22AM (#8372417) Homepage
      Yeah, the more of the story is pretty well detailed in the WHT forums [webhostingtalk.com].

      Rumors have ben flying for quite awhile that Paul (the owner) was either involved or turned a blind eye to DDoS drones on his network. Some rumors stated that he's DDoS competitors to prove the superiority of CITHosting's DDoS hardened servers.

      Seeing as this "data center" seems to have been his basement, I'd bet his (lack of) logs, records, and monitoring left the FBI little choice but to seize the whole thing. And, we can assume he was uncooperative as he may have been involved or at least knoweledgeable.

      The general reputation of Foonet also seemed to be a bit on the black hat side. No doubt there may have been some legitimate customers as well, but they seem to be known more for their spammers and script kiddies (and cheap shell accounts) than for their legitimate webhosting.

      All in all, it looks to me like the FBI did what it had to do to effectively process the warrant. They were evidently going after a network, not a specific machine. Unfortunately, some legitimate customers got caught up in it.

      It looks like CTIHosting was recently sold, and is being moved to a new data center in Chicago. Let's hope that it comes back as a legitimate business this time. They've already stated that IRC will be down indefinitely, so that's a good sign.

  • by elchulopadre (466393) on Tuesday February 24, 2004 @08:44AM (#8372191)
    First their webserver farm gets seized by the FBI, then you post their story on /. ??? Give these guys a break!
  • um... (Score:5, Insightful)

    by boogy nightmare (207669) on Tuesday February 24, 2004 @08:44AM (#8372193) Homepage
    I would be more worried about the fact that rather than being supplied with the data that they originally requested, they now potentially have the logs/records/recordings/information of all the transactions and customer records and IRC conversations ever hosted by this...

    Will they delete the 'copied' data after they have finished, keeping only the information that they originally wanted, please this is v bad...

    Thank God i dont live in the US
  • Full Text (Score:5, Informative)

    by Anonymous Coward on Tuesday February 24, 2004 @08:44AM (#8372195)
    FBI Shutters Web Host

    By Rich Miller
    Carrier Hotels Editor
    Posted Feb 19, 2004

    If FBI agents showed up at your data center bearing a warrant, would you be able to provide them prompt access to customer data? How long would it take?

    That's an important question in the wake of an FBI raid of Columbus, Ohio hosting company CIT Hosting last Saturday. Federal agents wound up shutting down the entire operation, seizing all the company's web servers and all customer data as part of its investigation of a hacking incident.

    CIT Hosting, also known as FooNet, markets itself as "the leader in the IRC and DDoS protection business for the last 5 years." The company posted a web page informing customers that its data center was shut down, and instructing customers to contact the FBI if they needed access to their files.

    "The FBI executed a search warrant issued by the United States District Court for the Southern District of Ohio regarding the IRC network that we host," the company said in its statement.

    IRC (Internet Relay Chat) is a live chat system that allows users to create private discussion rooms. While IRC has a lengthy history of legitimate use, it is also a medium for discreet communication between hackers. CIT said the FBI was "investigating whether someone hosted on our network hacked and attacked someone else."

    "After several hours of attempting to track down, inspect and audit the terabytes of data that we host, the FBI determined that it was more efficient (from their point of view) to remove all of our servers and transport them to the FBI local laboratories for inspection," the statement continued. "The FBI has assured us that as soon as the data has been safely copied and inspected, the equipment will be promptly returned. Unfortunately, the FBI has not been able to tell us when they will be completed with their inspection."

    The seizure isn't standard procedure, and there's no way to know exactly what prompted it. CIT's account suggests the FBI may have lost patience with the process. The IRC-focused nature of CIT's business may also have been a factor.

    But if you're a data center operator, you want to avoid any scenario in which the FBI gets impatient and starts hauling away your servers. Just one more item on the contingency planning checklist for the times in which we live.
  • by buzban (227721) <buz@buzban. n e t> on Tuesday February 24, 2004 @08:45AM (#8372200) Homepage
    IDNRADC (I do not run a data center), but don't let that stop me from making a completely unqualified comment ;) ....

    Perhaps just as important, or more important, are you storing customer data that could/should be regularly deleted? Not that burning everything when the FBI shows up is the best option, but having a sensible scheme for what needs to be stored, and what would be better deleted and overwritten, seems to me to be important...
  • Returning Equipment (Score:4, Informative)

    by millahtime (710421) on Tuesday February 24, 2004 @08:47AM (#8372210) Homepage Journal
    There is an article here [freeinternetpress.com] that tells that equipment is already being returned.
  • Look! I'm whoring! (Score:5, Informative)

    by teamhasnoi (554944) <teamhasnoi&yahoo,com> on Tuesday February 24, 2004 @08:47AM (#8372214) Homepage Journal


    From their site - don't forget to let the FBI know what you think! rwhite3@leo.gov

    02/23/2004 CIT re-establishes service.

    We have restored service at Equinix's Chicago Data Centers. We are in the same facilities as MSN and many fortune 500 companies. The facility has multi OC192 connections to the backbone.

    The FBI has begun retuning equipment to CIT which is being shipped to our new facilities in Chicago.
    At this time CIT will continue to provide dedicated DDOS Protected web hosting only.

    CIT provides reliable and scalable solutions for customers of all sizes and services. Located in Equinix's Chicago Data Centers , CIT has access to all the major carriers without the need for local loop circuits.

    Our Chicago staff is focused first and foremost on customer satisfaction, and will take every action necessary to accommodate each customer. Unlike many large ISPs, CIT prides itself in its ability to provide personalized service to each customer - if a customer calls twice for assistance, they can usually speak to the same representative. Our sales and support teams are allowed a great deal of flexibility to work together to resolve each customer's needs on an individual basis. Our success and rapid growth can be attributed to the satisfaction of our customers - word-of-mouth referrals account for a large portion of the new business we receive each month.

    The IRC Network will remain down until further notice.

    02/14/2004 FBI Confiscates all servers

    Dear Customers of FOONET/CIT:

    We regret to inform you that on Saturday February 14, 2004 at approximately 8:35 am EST, FOONET/CIT's data center in Columbus, Ohio temporarily ceased operations.

    Here are the facts of what occurred:

    The FBI executed a search warrant issued by the United States District Court for the Southern District of Ohio regarding the IRC network that we host. According to the warrant, it appears that the Bureau is investigating whether someone hosted on our network hacked and attacked someone else.

    After several hours of attempting to track down, inspect and audit the terabytes of data that we host, the FBI determined that it was more efficient (from their point of view) to remove all of our servers and transport them to the FBI local laboratories for inspection. This was completed at 7:00 pm EST same day.

    The FBI has assured us that as soon as the data has been safely copied and inspected, the equipment will be promptly returned. Unfortunately, the FBI has not been able to tell us when they will be completed with their inspection.

    We have been told by the Special Agent in charge of the investigation that If you need access to your data you are asked to please contact the Bureau via email to rwhite3@leo.gov. Make sure to include in your email your name, mailing address, and telephone number with area code.

    Since we wish to focus 100% of our efforts on restoring services, we would appreciate it very much if you do not attempt to contact us directly. Please rest assured that we are doing everything possible to restore service to you as quickly as possible.
    To the many who have inquired, Paul and family are OK, although shaken by these events. They are at home and awaiting the blessed event of their new child's birth. We thank you for your good wishes and prayers.

    Please check back here often. Through this site, we will keep you informed of ongoing developments as we know them.

    Thanks again for your understanding.

  • by Ghostx13 (255828) on Tuesday February 24, 2004 @08:49AM (#8372220)
    Is that if the FBI, ATF, *BI, or whoever seizes your property in the investigation of a crime, they are in no way liable for any damage that occurs to your property, if you can even consider it your property anymore, because, even if your property was deemed to have NOTHING to do with the crime being investigated, said above entities are not required to return your property. You have to SUE to get it back. Now how's that for some bullshit.
  • Looks like the seizure occurred on 02/14, and that as of 2/23 [cithosting.com] some servers have already been shipped back and put back on-line. As of now, their IRC network is still down...though it's unclear whether that's due to an FBI decision, the FBI still having their servers, or a CITHosting decision.

    The only thing I find a bit odd about this whole thing is that it looks like they too the opportunity to relocate their data center to Chicago (it was previously in Cleveland). According to their news,

    The FBI has begun retuning equipment to CIT which is being shipped to our new facilities in Chicago.

    Wouldn't that unnecessarily delay the process of restoring service to their customers? Was the move already planned, or did they suddenly decide that they needed a different data center? Is it possible they're blowing the seize out of proportion in order to cover outages due to their move? Or did the seizure even actually happen?

  • by Linker3000 (626634) on Tuesday February 24, 2004 @08:51AM (#8372235) Journal
    ...that 'the powers that be' are monitoring everything 'on the fly', if they need to get their hands on the physical data repository to check it out.
    • by vegetablespork (575101) <vegetablespork@gmail.com> on Tuesday February 24, 2004 @09:10AM (#8372347) Homepage
      That's exactly what they want you to think. Perhaps they already had sniffed the evidence illegally, and needed to extract it from the servers under the cover of a search warrant in order to subsequently be able to use it in court.

      This is all just speculation, naturally, but such a scenario would be very similar to other fourth amendment workarounds--perform broad, illegal searches (e.g. infrared through walls, which is inadmissible in the U.S. without a warrant) to target homes for additional surveillance. From the results of that illegal search, "happen to" notice something "on routine patrol," then get a warrant, and voila`--untainted evidence usable in court.

  • Steve Jackson Games (Score:4, Informative)

    by dmoen (88623) on Tuesday February 24, 2004 @08:52AM (#8372250) Homepage
    If this case follows the same course as Steve Jackson Games [eff.org] (the Secret Service confiscated most of a business's assets as part of an investigation), then the hosting company may not get their stuff back for years, if ever, and they'll need to fight a court battle.

    Doug Moen

  • by teamhasnoi (554944) <teamhasnoi&yahoo,com> on Tuesday February 24, 2004 @09:03AM (#8372303) Homepage Journal
    Perhaps the FBI is installing some evil logger/sniffer crap on the servers or some hidden hardware. Or perhaps I need to watch more episodes of the Lone Gunmen.

    I'm surprised that there hasn't been any discussion of Magic Lantern for awhile...

  • by SmallFurryCreature (593017) on Tuesday February 24, 2004 @09:03AM (#8372307) Journal
    The police and FBI can request from a judge a search warrant wich allows them to take pretty much everything as evidence and they don't have to search for it in a nice way. If they suspect that something is hidden in your sofa you can just as well order a new one. Doesn't matter wether you hid it or someone else did. If it did then all criminals could hide evidence in their neighbours house and be safe.

    Wether you find this acceptable depends I guess on wether you find it acceptable that the police can investigate crimes beyond posting a little poster asking criminals to please come to the station and answer their questions and to bring in any evidence on their own.

    Normal search warrants on an office mean that the FBI and police storm the building and everyone inside is ordered to stop doing anything. No more accessing PC's no shredding of documents no phone calls no nothing. The reason is simple to prevent evidence from being destroyed.

    I am frankly amazed that they even allowed the company to provide the info this shows that they probably don't suspect the company but rather that they hope to find evidence against someone else on their systems.

    There was a rather nasty ddos attack on mircx and aniverse. The FBI seems to be investigating wether the IRC network hosted by this company was used in the attack. There seems to be a lot of hints as to the person who was behind the attack but sadly in america you need that silly evidence stuff (at least for use against americans).

    So the FBI asked and got a search warrant. They then gave the company time to hand over the data but they couldn't. So the FBI used the law and did what we expect them to do. Secure any evidence by removing access to it. They are even giving the hardware back. They waited wich they don't have to and give the hardware back after copying data wich they don't have to do. Frankly I think they went way beyond what they needed to do to minimize damage.

    Quit frankly the original poster seems to be one of those people that want the police to disappear. That line about wich coorperate master they offended is clear bullshit. mircx and aniverse are hardly the powers that be.

    In any society that doesn't chose to be an anarchy you have to give some powers to the police to investigate crimes. Search warrants are pretty common in all democracys and also work pretty much the same way. If you get one it sucks but so far noone has come up with a better alternative except to just allow criminals free reign.

  • You know... (Score:5, Informative)

    by Niet3sche (534663) on Tuesday February 24, 2004 @09:06AM (#8372323)

    It's not like I agree with this, if indeed things happened as the article state... but a quick google [google.com] on FooNet (AKA / DBA CIT [cithosting.com]) turns up some VERY interesting results.

    I google'd quickly [google.com] on a hunch, and sure enough I got some [ahbl.org] rather [completewhois.com] interesting [webhostingtalk.com] hits.

    I claim to know nothing about SPEWS and how they go about adding to the blacklists, but they apparently are no stranger to it.

    Furthermore, it seems that this IS NOT the first run-in with the FBI that FooNet/CIT has had: from here [blogspot.com], if you scroll down a bit, you'll see the following text: The FBI executed a search warrant issued by the United States District Court for the Southern District of Ohio regarding the IRC network that we host # We regret to inform you that on Saturday February 14, 2004 at approximately 8:35 am EST, FOONET/CIT's data center in Columbus, Ohio temporarily ceased operations. And this was from Feb. 14 ...

    Another incident was reported out here [aginet.com] on 07/12/03 (search the page for "foonet") ... seems that 84898 spams swamped a box, and follow-up by FooNet sucked - e.g. they turned a blind eye.

    There are far too many hits to return ... if you're interested in more, you can always head here [google.com]. For now, I'll close with this: I do not agree with the methods used, if they were as described ... however, FooNet/CIT is no stranger to the FBI, and perhaps this is all rolled in to the Feb. 14th notice ... maybe the FBI actually gave them 10 days to comply... I'd really like to see how this ends.

  • They had a warrant (Score:4, Insightful)

    by kill-9-0 (720338) on Tuesday February 24, 2004 @09:14AM (#8372370)
    It seems that many people didn't read the text. The FBI had a warrant, which means they had to go before a judge, justify the need, and spell out what would be looked for/taken. If it wasn't initially spelled out that the servers would be taken, they might have had the warrant amended as such. Before some of you "conspiracy theorists" start screaming about a police state and such, the FBI was acting in the bounds of the law, under a warrant issued by a judge. John Ashcroft and George Bush had nothing to do with this. Maybe once you stop looking for black helicopters, you can see this. As for those of you saying you're glad you don't live in the US, we are the most free, most law-abiding country in the world. While we may not be perfect, we're the best thing going. Sorry if I'm offending anyone, but I'm tired of hearing knee-jerk reactions to things, without anyone reading the facts. Believe it or not, not EVERYTHING the government does is wrong.
  • by El (94934) on Tuesday February 24, 2004 @09:59AM (#8372705)
    Delete your logs. Delete them early, and delete them often. Searching through 24 hours worth of data is a lot easier then searching through 2 years worth...
  • by McFly777 (23881) on Tuesday February 24, 2004 @10:14AM (#8372844) Homepage
    If you are a data center, this sounds like another good reason to have a mirror (RAID 0, or is it RAID 1). That way you can just unplug the mirror drive and give it to the FBI without disturbing the rest of your service.

    Actually this makes the acronym RAID (Redundant Array of Inexpensive Devices) have dual meaning... RAID is what you want when you are raided!

  • Irvingnet (Score:4, Informative)

    by dr_dank (472072) on Tuesday February 24, 2004 @10:26AM (#8372942) Homepage Journal
    Irvingnet, the home of the Fark IRC channel, was also affected in the raid. The MOTD said that the entire datacenter was cleaned out by the FBI.
  • by ziegast (168305) on Tuesday February 24, 2004 @11:44AM (#8373764) Homepage
    I see all alot of, "their rights have been violated", and "this is why I don't host in the US", and "here's what I think they're investigating", but I don't see anything constructive about how to protect your service uptime against a raid.

    At a local security meeting, I learned about security incident handling, and things you can do to help preserve the chain of custody of the evidence (aka data). It's one thing to copy data, but just by reading data on most filesystems, you alter it. If a hacker determines that you are investigating them, that can and will try as fast as they can to cover their tracks, and it's alot quicker to delete/destroy/taint data than copy data.

    The fastest and best to preserve a single machine's data is to break a RAID 1 array (pull out live disks). Your machines keep running, and the FBI gets a pristine copy of the disks that they can put into (hopefully antistatic) evidence bags and document chain of custody without modification of the data. They can go read it at their leisure off-site. Using RAID5 doesn't cut it. Using single disks with frequent backups doesn't cut it. Use RAID1.

    Another way to protect data and preserve service is to store all non-OS data on enterprise storage that supports advanced mirroring or snapshot capabilities. If I had a NetApp, I could create a read-only snapshot and give the FBI access to that point in time copy of data and never delete it until I can do a DR copy of my filer onto another box. If I have an EMC or Hitachi or other large RAID1-capable unit, I can beak off a very large mirror and present it to FBI hosts on a SAN and continue to run off of unprotected data or implement a disaster recovery plan to get me running again on another similar storage. This data isn't as clean as a "drive in a bag", but with proper notes and techniques, the FBI can be convincing enough to a jury that the data was used in the investigation was correctly read unmodified "beyond a reasonable doubt".

    If I'm really good, and have a bigger budget, I'll have a near-real-time mirror of that data (NetApp SnapMirror, EMC SRDF, "rsync", etc.) in a remote location that runs independently of my primary site and a plan that will help keep me running while I let the FBI tears apart my primary data center.

    If you run a 100% uptime service ("Show me the nines!"), it's your responsiblity to to have an effective disaster recover plan. An FBI or Secret Service raid is an equivalent of a jumbo jet crashing into your data center. You as an individual, have a RIGHT to privacy and due process, but your company has created obligations to your customers to which you've guaranteed service, and your customers care more about the latter than the former. It's more responsible to have a DR plan and sue the FBI to replace your hardware than not have a plan and sue for lost business.

    -ez

    If the checksum doesn't fit, you can't commit!
  • by Senior Frac (110715) on Tuesday February 24, 2004 @12:27PM (#8374274) Homepage

    I know the Ashcroft-obsessed crowd will drown out this message, but I will say it anyway.

    foo.net has, for the longest time, been protecting carders. They've been told so, repeatedly, by the anti-spam community and weaseled. My suspicion at this point is that either they are actively involved and/or some of their members are involved. FBI methods aside, foo.net isn't the innocent-victim they would have you believe.

  • by Anonymous Coward on Tuesday February 24, 2004 @12:41PM (#8374416)
    As someone who has had multiple run-ins with Foonet and their customers over the years, I'm personally glad to see this happen, even if it's only temporary. The FBI doesn't just decide to dismantle an entire datacenter on a whim, there obviously has to be just cause. I feel that in this case, there's probably more than enough cause. If you are a (wannabe) "hacker" or "packet kiddie", Foonet is the place for you, and most people know it.

    I run a large text based chat server (IRC), and as such we see frequent (D)DoS attacks. Far too many of these attacks in some way lead back to Foonet. It's even rumored that some of their employees harvest and sell Denial of Service drone networks... how's that for service! Since Foonet was raided a week and a half ago, we've seen maybe 25% of the DDoS attacks that we reguarly receive.

    Bottom line... don't target "kiddies" as your primary customer base, and don't tolerate their abuse and things like this will not happen. But hey, what do I know.
  • by tintruder (578375) on Tuesday February 24, 2004 @07:08PM (#8379369)
    This is one of those times where the government violates all constitutional protections to the point that citizens so violated damn near have a DUTY to exercise their second amendment rights. There is no excuse for the government putting a company out of business if their only requirement is to copy data. And if the FBI is unable to do so on-site in an orderly manner, it is their failure not the fault of the ISP. ISPs have long been given the protection of a "Common Carrier" just like the telcos. They are not responsible for monitoring the content of user conversations any more than ATT/MCI/Sprint are to monitor personal phone calls. Can you imagine the FBI shutting down AT&T and confiscating their equipment because a couple hackers were discussing DDoSing? It really is getting to the point that US citizens need to start pushing back against an overbearing government. Quite frankly, take away cable TV and consumer goods and little separates the USA of today and the Soviet Union of the 1960s and 70s as far as freedom and liberty go.

A bug in the code is worth two in the documentation.

Working...