>>lxm+(OP)
Did they want the readership data for malicious, unjustified reasons?

>>wherei+O3
Probably not

>>lxm+(OP)
I wish services didn't store IPs at all.

If abuse is an issue, why not hash the IP with a nonce?

>>wherei+O3
They probably just wanted it to make their jobs easier.

>>lxm+(OP)
I'm curious if we'll ever find out what they thought they'd learn from this.

>>xvecto+W4
IPv4 space is small so they will subpoena the nonce and find what the original IP was

>>xvecto+W4
For ipv4 is there a difference between storing IPs and storing their hash with a nonce? You can calculate the hash of every IP address in reasonable time, so it's reversible.

Only benefit I can think of is you can forget the nonce and now the data is securely useless, if the nonce was secure, but that doesn't seem that useful really.

>>myself+p5
From the article, that’s why they withdrew it.

—-

“ The subpoena, issued as part of an investigation seeking to identify a child sexual exploitation offender, was withdrawn after investigators found the person through other means, according to a notice the Justice Department sent to USA TODAY's attorneys Saturday.”

>>lxm+(OP)
>The government's own guidelines require the FBI to pursue alternative sources before subpoenaing a newspaper

Or "we could always just buy this data, we requested it for some other reason but the media got more pissy than we expected."

The entire thing is just so strange, why was the challenge not hidden when the subpoena was?

>>myself+p5
More likely they acquired the data through other means like hacking into a "foreign" server.

>>b9a2ca+W5
Probably easier to subpoena the many many tracking pixel providers embedded on the USA Today website...

>>mathat+P5
I think you may have replied to the wrong comment.

>>xvecto+W4
There are only 2^32 possible IP addresses. You can brute-force that on a personal laptop.

>>chrisc+35
That's a brilliant side-step over a morality qualm, without ever really answering the question.

>>xvecto+W4
Hm, I'm confused, usually the whole point of storing an IP is in case the visitor uses the platform to do something illegal, like a death threat. Without the original IP law enforcement can't subpoena the ISP, etc. But also as someone else said, if you use a nonce, and I think you mean salt, then it can be cracked nearly instantaneously anyways due to the small space of IPv4 (~4 billion).

>>lxm+(OP)
> President Joe Biden recently criticized the policy, saying it's "simply wrong" to seize journalists' records.

The FBI is part of DOJ, which is an executive branch department under Biden's direct authority. If he thinks it's "simply wrong", he can just order them not to do it. He's not limited to "criticizing" it.

>>gizmo6+m6
There's even less 'usable' ones, when you exclude private ranges etc...

>>Turing+67
Good point. I'm not sure he's even aware of that option, unfortunately.

>>lxm+(OP)
Did anybody bother to lookup the article they wanted to get the IPs for and get scared out of their minds when they realize what the title was?

No, I am wrong, Hacker News is right, I have learned my mistake, we need anonymity - from everything. I don't want responsibility for my actions - that's why I support the EFF, and I don't care about the FSF. We deserve the same anonymity as the upper echelon of the government, and who cares about unconditionally accelerating the singularity with open-source.

Transparency - only Satan could want such a thing!

At least in my sect of Christianity, Satan only hurts bad people - it's people themselves that are evil or want to make others evil. Bit more theologically consistent.

>>xvecto+W4
Sometimes there's a forensic purpose. For example, you want to know which servers exfiltrated your data and to which IP.

Or for audit purposes (e.g. you might need to prove to some regulator no outside access was made, which is stupid but ...)

>>bowmes+k7
Oh, he is. But it's good PR to make positive statements while doing whatever you want.

>>Turing+67
He did:

"Going forward, consistent with the President's direction, this Department of Justice – in a change to its longstanding practice – will not seek compulsory legal process in leak investigations to obtain source information from members of the news media doing their jobs," Justice Department spokesman Anthon Coley said in a statement Saturday.

>>bowmes+k7
Are you suggesting he's senile? Stupid? It's not clear why you'd think someone with Biden's political experience would be unaware that the President is the head of the executive branch.

>>xvecto+W4
There are only 2^32 IPv4 addresses, if you know the nonce you just try them all... no privacy provided.

If you don't know the nonce, you can't match against other users-- so not useful for abuse.

But I'm skeptical re: abuse uses. For commenters, sure-- you may need to store IPs to combat abuse. But for readers? At most you would need sampled data or in-memory counters (e.g. to catch high volume bots).

Unfortunately, there really isn't any penalty for failing to minimize private data collection.

>>hellow+E7
He literally did ban the practice, though, and the quoted line is after the reporting saying he did so?

>>xvecto+W4
Anti-spam/anti-abuse operations often look a lot like tracking. There's no point in knowing a single request's IP, or a single user's; to spot the patterns, you have to be able to join it with others.

>>GavinM+J7
> Are you suggesting he's senile?

Forgetful at the very least. Senile is unnecessarily pejorative. He's an old man who doesnt do much more than make political speeches in public.

> Biden's political experience

His team's political experience is more important, like almost all POTUS before him.

>>myself+p5
Maybe they were hoping to get enough information to do browser finger printing?

https://coveryourtracks.eff.org/

>>Sebgue+P7
No he did not. He gave a "direction". Which, legally, means almost nothing.

> “Going forward, consistent with the President’s direction, this Department of Justice – in a change to its longstanding practice – will not seek compulsory legal process in leak investigations to obtain source information from members of the news media doing their jobs,” Anthony Coley, Justice Department spokesman, said in a statement.

They are changing a "practice".

One uses laws to prevent practices one does not like, not "directions".

>>Turing+67
I think the article is conflating two points. Biden banned the practice of compelling journalists to provide the identity of their sources. That is totally unrelated to this subpoena, which is attempting to get a list of people that read a certain article.

Obviously it's also wrong to seek this information, but it's not what Biden was talking about in the quote.

>>serf+s6
What do you mean?

>>serf+s6
"They probably just wanted it [...]" is the same as writing "No, they probably wanted it [...]."

>>resolu+j6
I don't think they did. That reply tracks

>>uses+Y6
Wouldn’t be relevant for a news website.

>>vgaldi+97
And if you further restrict to US service provider ranges

>>hellow+u9
> One uses laws to prevent practices one does not like, not "directions".

If you want a law to prevent this I'm not sure why you're criticizing Biden. He is the President, no the Legislature.

If you think there should be a law, then your complaint should be for congress.

>>nullc+O7
If you use a difficult hash function that takes ~1 seconds to calculate then it would take over 120 years to iterate through the IPv4 address space. At the very least, this could cut down on dragnet surveillance

>>ed2551+X9
I wouldn't be so sure, lots of papers have comment sections and they're pretty rammed with death threats on any social issue sadly...

>>kadoba+K5
I think if we use a difficult enough hash function it should be okay? With 4 billion IPv4 addresses it would take 120+ years to iterate through all of them. You could probably rotate the nonce periodically, making it effectively worthless to pre-compute any table. But this gets complicated fast.

>>xvecto+Fa
Yes, but then I’m burning a second of compute time every time I want to log something.

Also, by removing unlikely candidates (IPs owned by irrelevant entities or that are not US based) you could get the search range much much smaller, and with the FBIs budget you could probably compute it all in a few days even with a 1-second hash time.

>>hellow+u9
Well, considering the DOJ is under his control, it’s not a “direction”, but a “law” of sorts. Actual laws come from Congress, which Biden doesn’t control.

>>xvecto+W4
There's some structure to the IP that can be somewhat useful for tracking identity.

Its imperfect, but you'd expect definitely good folks to look a certain way

>>lxm+(OP)
So DoJ is like Google or Facebook: They silently do whatever they want until it appears on HN, then they fix it.

>>nullc+O7
The best model would be to display publicly commenters IPs, never store readers', store error logs (like people bruteforcing a password).

You d have a triple virtuous effect: people would stop being such insuferable asses once they understand basically their name is on the comment, readers would be completely safe because why not and abusers would be logged still.

It's even probably what most websites do: it news to me to keep the IP of every visitor, I'd have pruned them.

>>xvecto+Fa
But then a single user clicking on links quickly would bring your webserver to its knees. So much for using those addresses to combat abuse... :)

Plus the FBI could probably narrow their search to a few hundred thousand addresses (relevant ISPs, no unroutable/multicast/etc), then only use the list to confirm.

Finally, if it takes 120 years on one core, it'll take 1.4 months on 1000 cores. I'm willing to be the FBI has access to more computing power than I do. ~100 CPU years isn't a particularly daunting amount of computing work, even for fairly low stakes research.

That search would also decode all addresses in the logs, not just one targeted one...

>>xvecto+Fa
This requires that you add ~1 second of latency to every request that requires you to hash the IP. Even if we assume relatively aggressive caching, this is still incredibly unacceptable from a user experience perspective.

Assuming you do that, you are looking at about 1193046 hours to hash the entire address space. More specifically, you are looking at 1193046 CPU hours.

You can rent a 96 vCPU c5.24xlarge instance from AWS for a rate of $4.08/hour; or $0.0425/CPU-Hour. Assuming this offers the same per-cpu hashrate as the general purpose web-server, you are looking at a cost of $50,704 to construct a rainbow table. That is no where near a prohibitive sum of money.

You can probably reduce the cost by shopping around for compute or using bare metal. You could see significant cost reductions by using hashing optimized ASICs.

Combine this with the fact that no website is going to spend 1000ms just computing the hash for every request (even if you allow for caching). And the fact that they can probably narrow down the address space they are interested in considerably if they wanted to save money.

2^32 is just too small of an asymmetry between legitimate use and an attack to be a viable defense.

>>wherei+O3
No: they wanted to identify one sex offender, probably because they knew he read this article somehow.

They did not care who read the article itself which was benign.

They wanted to create a precedent to make their job easier, not realizing maybe people care less abt solving crimes than making it forever possible to track who reads what.

>>a3n+2c
All three share the trait of being in the public sphere. Graver atrocities are happening across every other industry, they're just boring/not newsworthy so nobody really applies scrutiny.

>>mathat+P5
Right, so it wasn’t public outrage around privacy that impacted the decision at all.

>>xvecto+Ra
Why 120 years? It is easily parallelized, and with any cloud provider you can launch hundreds of thousands of computing unit in seconds. I'd say, as a private citizen, I can create a rainbow table of the IPv4 space in half a day, more or less?

>>xwolfi+Dc
Any examples? I like the transparency and self-filtering. What is/isn't this approach suitable for? Anonymous is a very common pen-name.

>>gizmo6+Oc
From a user experience perspective, you can perform the computation asynchronously. There are also hash algorithms resistant to ASIC.

But yeah, everything else you said makes sense.

>>gizmo6+m6
If you use a hard hash function you cannot brute force that on a laptop - not even a tenth of that. You can, however, spin up compute instances to brute force it in a few days if you have $50k lying around.

>>xvecto+Ra
Except you are still storing the nonce/salt (not sure which you are proposing)...which means you can reverse it, so the data is subpoenable. It doesn't really buy anyone anything, in this scenario. It could help if the logs were stolen, but that isn't what is being discussed here.

>>tekrom+S9
To paraphrase: "What did they think they'd learn?" "That's why they withdrew it."

I don't understand how that reply works. Can you elaborate?

(The best way for me to reconcile those would be to interpret it as a snarky "you're realizing it's useless, they also realized that, so they withdrew it" but that doesn't answer the question of why they made the request in the first place. Or I could interpret it as "the quote below is why they withdrew it" but that's even further from answering the question of why they made the request in the first place. Is it supposed to mean "they withdrew it so we don't find out what they'd learn"? It's hard to see how withdrawing the request helps very much there. Overall, I'm lost.)

>>xwolfi+Dc
And then my modem reconnects and I get a new IP that used to belong to some insufferable asshole, and suddenly I’m blocked / blackholed / shadowbanned everywhere and some vigilante is flood pinging me.

>>taneq+Pf
Bingo. IRC tried the strategy of banning users by IP and half the time you'd end up k-lining entire countries because their ISPs were too cheap to buy more endpoints.

>>lxm+(OP)
I'm glad they withdrew this. That said, it does appear that the subpoena was more selective than I initially thought, given the headlines. From the other USA Today article:

> The subpoena, issued in April, demands the production of records containing IP addresses and other identifying information "for computers and other electronic devices" that accessed the story during a 35-minute time frame starting at 8:03 p.m. on the day of the shooting.

A 35-minute window could still produce a large number of readers, but I assume they had some other information that would have immediately narrowed it down or otherwise confirmed their suspicions.

>>judge2+Wc
They also all three share the trait of not caring at all what we hacker newsers think :D There just aren't enough of us.

>>lxm+(OP)
In an age where newspapers were bought at news stands for cash, identity of the reader was entirely anonymous.

In an age where printed periodicals were delivered by subscription, the subscriber information was available (and yes, often tracked by local and federal law enforcement), but not the specifics of what articles were read.

Today, with Web-based document delivery and Javascript instrumentation, the specifics of who reads what articles, time on page, sections read, interactions, shares, and more, are available not just to the publishere but advertisers, any entities hacking into or accessing their systems, app developers, and more.

And, yes, law enforcement, whether under warrant, subpoena, or ... other methods.

>>a3n+2c
The DOJ was trying to catch a child molester. Not sell ads.

>>wherei+O3
It's in the article. It was a criminal investigation. This is no different than subpoenaing phone records or financial records. They had a very narrow target and a specific objective well within their purview and serving the public interest. The subpoena was withdrawn because they caught the guy.

>>Sebgue+I7
This was not a leak investigation and they weren't after sources. The article mentions the completely unrelated change in policy regarding some other cases. The only correlation is they involve newspapers.

>>tootie+Ai
The perp was being investigated for possession of child pornography. While not a saint, he was not a "child molester".

>>xvecto+ie
And now you have a ~1000ms latency between when some events happen, and when you can log them. Even assuming all such events get logged, you will be left with a jumbled mess of out-of-order events.

>>Sebgue+I7
> in leak investigations to obtain source information from members of the news media

That means they won’t subpoena journalists phone records when looking for whistleblowers. It doesn’t mean they won’t go after reader’s IP when looking for other suspects.

>>nullc+O7
But of course, the real reason is that those ips are worth analytics $$$.

>>lxm+(OP)
I am confused how reading a news story in a certain window of time could serve as evidence or probable cause or reasonable suspicion of anything. Seems utterly bizarre.

>>lxm+(OP)
It likely means they got this data more easily from a third party, like an analytics or ads provider.

>>lxm+(OP)
They'll just send a NSL instead.

>>morphe+Pl
My guess is that they have some sort of photo, screenshot, or video that happens to show that a suspect had this page open on a computer or mobile phone, and that they can reliably date the time of this photo or video.

Depending on details, it may not be an unreasonable request. The question is more one of trust: do we trust the FBI that it's a reasonable request?

This is why all the stuff like the activities the Snowden leaks demonstrated or Trump's idiotic harassment of the press through the DOJ are so harmful far beyond the direct harm they did: they justifiable and seriously erode trust, and then there is a serious case like this and "trust us" no longer carries any value. A sad state of affairs where everyone loses.

>>Dylan1+nf
> but that doesn't answer the question of why they made the request in the first place

most likely the fbi was monitoring some website somewhere and the person of interest posted a link to or talked about the article and it was 35 min after the story was posted when the guy linked to it.

>>arp242+8n
Still even if they had such a screen shot I don't get how reading a news article about a sex offender would be incrimnating even if you were a sex offender yourself.

That said...https://www.cbsnews.com/news/luka-magnotta-wanted-for-canada...

>>a3n+2c
In a democratic society, as an entity grows in power, so must the level of transparency. Otherwise the will of the people cannot be a real check on that power. Whether through standard journalism (which seems to be lacking lately) or other means this is still true.

Would you personally be (as) worried about mass surveillance if you could somehow guarantee that every use of that power would be reported on to the public; and that any abuses of power would come to light? With the underlying assumption that those abuses of power would also have consequences.

>>morphe+yn
> Still even if they had such a screen shot I don't get how reading a news article about a sex offender would be incrimnating even if you were a sex offender yourself.

What? Absolutely no one said or even implied any such thing.

Photos of in child sex abuse cases are routinely scrutinized in great detail to reveal clues about the location, time, and anything else that might lead to the individuals in the case.

Interpol has an entire website dedicated to help identify objects in pictures[1], asking members of the public to help identify everyday things like T-shirts. Actually, one of the top results pictures right now is "do you recognise this newspaper?"

No one is suggesting that "wearing this t-shirt" or "having this newspaper" is incriminating in and of itself. Finding these people from vague online pictures where they intend to remain anonymous is tricky business, and sometimes with a bunch of these clues combined with some other information they can identify offenders and/or victims.

Of course there are trade-offs involved in all of this, and it's important we have robust public conversations discussing those; as I mentioned in my previous comment, the lack of trust here is a big issue. But much of this entire thread is ... disappointing. I wish people would keep cooler heads (as well as, you know, actually read the article before commenting).

[1]: https://www.europol.europa.eu/stopchildabuse

>>zapdri+9j
The trade in child pornography enables child molestation.

I suppose that if we get very technical you're technically correct. Seems like an odd and very pedantic hill to die on though.

>>xvecto+Ra
You could try to do a more difficult hash or something (bcrypt maybe?) but I don't know if it's a very good idea. I think you'd spike your latency, open yourself to DoS attacks or only minorly inconvenience anyone reversing the hashes, or some combination of those.

>>arp242+Dp
Conflict minerals enable regimes that commit war crimes. Does buying electronics made from such minerals make you a war criminal?

>>morphe+Pl
My guess is that they have some related suspect who they claim saw the story and nuked their drives. It doesn't seem like strong evidence though.

>>lxm+(OP)
Biden has now made it policy to protect journalists from certain means of investigation, but that can be reversed easily by the next president, by Biden if they want, and because the has no legal force, courts won't enforce it and it may be that the biggest risk taken by violators is to lose their job.

Why isn't this made into a federal law? What constituency in Congress is opposed?

>>xvecto+Ee
What are the odds that a website will run a computationally hard hash function on every single HTTP request just so it can log something less sensitive than an IP address?

>>gruez+Up
This is a silly comparison and this "aha, but what about this, huh?!"-style of conversation is not one I'm interested in having.

>>LatteL+Oa
Oh jeeze with comments enabled anything goes.

>>morphe+Pl
I think maybe they have a phone, with the story in the browser history, and they want to link it to a wifi point.

>>xvecto+Fa
1 second on a CPU can easily be 100x faster on a GPU, then distributed over 1000's of GPUs. For reference argon2 was supposed to be an ASIC-resistant, GPU-resistant memory-hard hashing algorithm, but a K20X from 2013 is 5x faster than a CPU [1] and GPUs have only gotten faster since then compared to CPUs.

[1]: https://github.com/WebDollar/argon2-gpu

>>morphe+yn
It's a CSAM case. They're probably trying to prove he's the primary user.

>>morphe+Pl
Probably narrows down the list of suspects to a few thousand from a much higher number.

>>grader+Er
That seems plausible but I would think that there could be a lot of other sites the person visited that would be easier to track down. Maybe that’s what they did and the reason they’re dropping this subpoena.

>>morphe+yn
It sounds like what they were trying to do was identify someone.

It is quite common to know something about the recent behavior of someone that has some connection to a crime but not know who they are.

You might not know who robbed the bank, say, but you know their getaway car was a red Corvette with a license number that ended in 6. Or you might know that a recently killed body was disemboweled with a Kobalt brand model #TRS-5CF-K34714 trenching spade (it was left at the scene) and your forensics people were able to determine that it had not been used before this so was probably recently purchased.

In the first case, you are going to ask your state's motor vehicle department for a list of all registered red Corvettes in the area of the robbery. In the second case you are going to see if any Lowe's in the area (Kobalt is their house brand) can tell you who recently bought a #TRS-5CF-K34714 trenching spade.

You aren't asking because owning a red corvette is incriminating, or because owning a #TRS-5CF-K34714 trenching spade is incriminating [1]. You are asking because whoever did the crime is probably either in the set of red corvette owners for the robbery or the set of #TRS-5CF-K34714 trenching spade owners for the disemboweling, or someone in those sets is connected to whoever did the crime. Even if the connection is innocent talking to them can be useful--the red Corvette may have been a ride share, for example, and the driver had no idea he was serving as getaway driver, but he still may be able to provide details about the robber that will help find him.

Here it sounds like they determined that there was someone connected to the shooter and they wanted to find that person but did not know their identity, but did find out somehow that it was likely they had read that article within a 35 minute window on a particular day (I have no idea how they would have found that out).

[1] I own one. It's great!

>>arp242+8n
> Depending on details, it may not be an unreasonable request.

No. Under no circumstances is it acceptable for governments to ID readers of a news article. Such an act is a direct attack on the freedom of speech, freedom of thought, and freedom of the press. IMO it very clearly crosses a line on what law enforcement can and cannot do in a democratic society.

Note that law enforcement has (over)broad powers for investigation at their disposal already, and they were able to find the suspect "through other means." There was no justification whatsoever for the subpoena.

>>Dylan1+nf
Not being snarky- the FBI claimed they were looking for a pedo and found him elsewhere.

It could be a smoke and mirrors response to get people to say “well in that case...” but the article does answer the question.

>>dredmo+Lh
You can get around that if you search for link urls in archive sites.

Someone usually will have archived the article there.

If you feel a bit more ambitious you could make a bot that runs on a vps somewhere and automatically scrapes news articles.

>>uses+Y6
IP is not a person identifier. They should not be allowed as evidence in criminal cases.

>>qualud+rw
Sure. But that's not the point.

>>qualud+rw
Tor seems to work reasonably well, except that many mainstream media sites block, throttle, or CAPTCHA it.

>>mcbutt+9u
That's what I think, yeah -- they cross-referenced the information anotherway (from another technical source or like you say, another site maybe) and withdrew.

>>cschep+Sg
I think the reason we often see FAANG-related issues actually resolved when they're posted on HN is that so many programmers who work at these FAANGs read HN and can escalate real issues internally.

While there probably are thousands of real issues that don't make it onto HN and thus never get resolved, there's probably multiple millions of people just as desparate that are just trying to skirt some rule or are telling half-truths to try to get their way and bypass policies.

>>njharm+9x
There is more to investigating then gathering admissible evividence.

For example, if you are talking with Alice and she says that she heard from Bob chat Charlie was in the office at a weird hour on the day in question investigators have gains nothing that they can admit as evidence [0]. However, there is nothing that anyone (defense or a third party) can do challenge this portion of the investigation other then keep it out of evidence, and the investigators are free to follow up with either Bob or Charlie to get something that would be admissible.

>>dredmo+ex
Combine Tor Browser with the archive.org/archive.is sites?

>>dredmo+ex
Yeah I like tor because the tor browser has built in fingerprinting protection.

Otherwise you could use a privacy hardened firefox version along with some kinda proxy.

I would say you could rent your own vps, use a vpn service that maintains their own servers, use a decentralized vpn (these are a new development) or just use someone else’s wifi that you don’t also use with your „real“ identity.

Opsec can be hard to maintain but boy is doing so fun.

>>pabs3+Gy
Internet Archive / Wayback Machine works.

Archive.is runs Tor through a Cloudfront captcha which fails consistently in my experience.

>>dredmo+ex
VPN plus incognito (private) browser window is easier than tor and roughly same protection level. That is for general use, not for hardcore anonymity.

>>arp242+Dp
I wouldn't call false accusations of such a serious crime "technical" or "pedantic".

I'd call it "profoundly misleading about a serious matter" at best.

>>zeroim+fr
The website could cache the hash for an hour or two.

>>grader+Er
It's also possible they've got a video or picture with the story open on a screen in the background.

>>lxm+(OP)
I must be missing something here. How does it help an investigation by fetching the meta data of those who read an article? Anyone could of read the article within that time period.

>>mcbutt+9u
This is just a charitable guess. A guess with equal probability to anything.

Another guess is they want a precedent to subponea Fox News readers and classify people by political opinion. Albeit less charitable, it has equal probability.

>>judge2+ly
This makes me wonder how a Hacker News-for-politicians variant would fare, if political managers at various levels in the chain could post under a pseudonym to bring high level attention to some broken or un-oiled cog. Not necessarily for civilians to find out but for other political operatives to learn about and pull whatever levers they can pull to resolve issues internally. My understanding is that the government (at least the US Fed) is very top->down information wise, and e.g. a town clerk in Kansas has no available way to interact with INS even when they need to for their job.

Let's say one day you stumble upon some nuclear centrifuge in the middle of a field. Who do you even call and how do you do it in such a way that you don't end up on the no-fly list for the rest of your life?

>>arp242+Dp
Child pronography is any depiction of someone under 18. This includes:

- Drawings, 3D renderings,

- People you don’t have the ID of. Remember the joke: “Actress ___ turned 18, it is now legal to watch her films.”

While one of the gravest crimes, accusations of CP made by police are wildly different from a human’s definition of it, and it is also at high risk of being used for political reasons, we need to keep that in mind.

>>dredmo+Lh
The "other methods" is the curious facet of this story to me. With stuff like this [1] [2] I wonder if the FBI really "needs" USA Today to comply to get this information or rather, this is part of a long-term strategy to get legal precedent on their side. The same dynamics were in play with the San Bernardino shooting, where they made a big deal out of getting data they didn't seem to actually need.

1 https://en.wikipedia.org/wiki/Utah_Data_Center

2 https://en.wikipedia.org/wiki/Room_641A

>>user39+DH
I hadn't considered the precedent angle. That's an interesting one.

I was thinking along the lines that evidence already exists that would provide much the same value as the access logs might, but the access logs would either provide cover for introducing that evidence, or provide the value without disclosing other surveillance methods.

Either of those prospects is troubling.

>>nuker+KC
History's shown that for numerous VPN providers that's not the case.

Chief value of (public/general) VPNs seems to be 1) accessing region-zoned content or 2) protection against local-segment interception.

The benefit of 2) is balanced against the fairly strong probability that the VPN provider itself is heavily surveilled or actively aiding in monitoring activities.

>>dredmo+Xz
> Archive.is runs Tor through a Cloudfront captcha which fails consistently in my experience.

Just tried it now and works for me.

It is an annoying captcha, it had something like five steps to complete, but I've seen worse. I'd rather this captcha than the one that Roblox uses.

>>lxm+(OP)
This is a disgusting over reach of power as usual by the American TLA's.

Please remember to always use a VPN, Tor, or other similar technologies when using the internet to shield your self from basic infringements of your privacy like this.

>>sorami+hv
It seems no different to me than subpoenaing say, a private clubs membership records.

The danger comes when law enforcement uses the evidence they gather from one case, to target someone who hasn’t committed a crime. Which clearly hasn’t been shown to be done here.

>>morphe+Pl
I’d imagine it’s part of the process of attribution for something. If you know they accessed the news site during a time frame it may help with attribution or possibly placing them in a certain location at a certain time - both of which might be important and both of which you may know via some out of band method.

It could also be used to de-anonymise someone if they made an OpSec mistake e.g. accessing the news site outside of Tor or a VPN and you happen to know (via some out of band method) that they did this and so could use it to get their actual-IP.

It wouldn’t be a straight forward “if you accessed a news page you are guilty of something”.

>>mcbutt+9u
Article:

> was withdrawn after investigators found the person through other means

>>dredmo+Lh
Actually this track-ability is what is keeping me from subscribing to news websites. I'd easily pay a few bucks to them for the privilege, but I don't want to log-in or identify myself every time I read an article.

>>simfoo+5L
Absolutely this, yes.

>>nuker+KC
Those youtube ads sure helped the VPN popularity. There is absolutely no reason to believe VPNs are even remotely secure.

>>simfoo+5L
Yeah for this you would need to sign up using a one-use mailbox, pay by mailing in a cashier's check, atop hiding your traffic. Possible with the NY Times, at least.

>>dredmo+Lh
> In an age where newspapers were bought at news stands for cash, identity of the reader was entirely anonymous.

Still, everybody on the street could see what we read while carrying the paper home. That can easily be dozens or hundreds of people. In some sense the periodic subscription via snail mail is in some sense the most private form. Sure, in the Web everything is tracked but in the average case literally nobody is aware of what we read. The worst case scenario can be quite bad though...

>>morphe+Pl
>> how reading a news story in a certain window of time could serve as evidence or probable cause or reasonable suspicion of anything.

So... I have no idea how they thought it would apply in this case, or what investigators had in mind.

That said, very broadly and in theory, in today's world almost any data point can be predictive of almost any behaviour. This is the premise of ad-tech. Less amorphously, you could probably construct a theory. People reading the story within a certain window of time, within a certain geographical area... etc.

Evidence, probable cause & reasonable suspicion as legal terms, that's a different matter.

>>chrisr+PN
Why a cashier’s check? Shouldn’t you send in $1 coins (after baking them) and pray that they arrive?

>>ncalla+ba
Is there a written order from the President saying this. Is it public somewhere? If not, it's just PR.

>>colejo+9b
Same question to you: is there a written order from the President saying this? Is it public somewhere? If not, it's just PR.

>>skissa+AI
You only get that far with JavaScript on. At that point, tor is like a hot pink tank. In theory safer than nothing, but standing out a lot.

>>taneq+Pf
Maybe in the 56k days, but my DOCSIS ISP rarely re-assigns IPs.

>>mathat+P5
Sounds like they subpoenaed dozens of websites. While USA Today fought it, the rest fell right over without mentioning it/fighting it.

I’ve seen this before where a user got an email from Google legal about a subpoena against them, spent $7k successfully fighting it, but it didn’t matter because several other $BigCos didn’t even let the user know.

>>malwar+Km
Don’t think that works for pedos. But if we’re not allowed to see the NSLs, then who knows what they contain.

>>dredmo+hI
Parallel construction.

https://en.m.wikipedia.org/wiki/Parallel_construction

>>lxm+(OP)
im just curious how they knew the person of interest read that article?

Was he a person of interest in the lead up to the shootout, who got away, and they were just grasping at straws to discover a list of local area IPs correlated with known addresses he might have been hiding out at so they could obtain a search warrant?

If that's the case, then honestly I don't think this is any worse than when they force say Google or Facebook to provide such data to government.

I don't see why the USA Today should get any special privileges over any other tech company just because they are "media".

If we want to have an argument about the Government abusing it's power to spy on us in general, that's one thing. But the USA Today is literally saying its more important they protect the illusion of their readers "privacy" (which we all know they don't care about your privacy are willing to sell all your personal info to the highest bidder, its in all their TOS) than it is to try and help the cops catch a child predator...

I do agree that this does establish a troubling precedent, but i kinda thought Snowden already made it blatantly clear that the NSA and the CIA is already doing this.

It seems to me that the FBI is basically just trying to play catch up, which we should be concerned about because they are supposedly the agency put in place to police us. Those other agencies are supposedly only supposed to police the world.

(which i never understood why thats supposedly okay. Americans are the only people entitled to their privacy?)

>>mortde+jT
> I don't see why the USA Today should get any special privileges over any other tech company just because they are "media".

Because freedom of press is (in all democracies) one of the highest ranking human rights.

>>Scound+aR
Yes that's true. I had JavaScript on.

I agree that turning on JavaScript with Tor is risky from a security viewpoint. It significantly increases the risk that your real identity may be unmasked.

>>Scound+VQ
What do you mean by "baking"? Google is unhelpfully showing me results about crypto currencies and how to literally bake coins into a cake.

>>xvecto+Ee
>force that on a laptop

They said: "personal computer", which could easily have 2x GPUs and 16+ cores. Heck, laptops nowadays can have a pretty good discrete GPU.

Using password grade hash with a =nonce= is absolutely no way to be accomplished per each request. The nonce would have to be the same for multiple uses - hence NOT a 'nonce'. The sharing of the said non-nonce would require a form a replicated Map (or IP-sticky processing with a local map). It's rather convoluted solution for absolutely no benefit as it's still not hard to brute force.

Storing it in such a way - slow hash + salt yields no benefits for debugging either, so I wonder why would you do so? Password hashes are useful for proving a match with an unknown plain text (while making it expensive to brute force) - so what would be the exact purpose of having non-nonce+IP?

>>kadoba+Pp
>(bcrypt maybe?) but I don't know if it's a very good idea

b/scrypt and all other password grade hashes are slow on purpose but they are slow per each use. Imagine the processing takes 0.1s (which is on the low side of hardness) per each request - you just killed all your servers w/o any designated DoS. If you abandon the nonce and use the same salt multiple times (so the computation is amortized), it'd take a replicated cache of IP->hash and even then it still doesn't accomplish much...

>>morphe+Pl
It makes sense that the person would be scouring the news for an incident that involves himself. Isn't that in Sherlock Holmes - The Study in Scarlet? Sherlock used false advertising in a newspaper of a missing ring found near the crime scene. The person who claimed to have the ring is the culprit. This also happens in Death Note, another work of fiction, where L, the detective, uses news media to narrow down the possible suspects.

>>george+4J
By the time is is shown to be done you have already lost your freedoms.

Media, news and journalists and their sources have special protections and consideration that random private club does not.

>>simfoo+5L
It's quite likely that if you do not use an add blocker and disable all social media tags on those pages using a js blocker that what you read is already coupled to your profile in some database.

>>kangar+kt
That's called a dragnet. Suspects are not found by this method, innocents are found, it all hinges on the assumption that the guilty party will be present, which in fact may not be the case. Good policework identifies the suspect first, then finds corroborating evidence.

>>beermo+aJ
Copy-paste deanonimization attacks are thing and have exposed people in this exact manner.

Having only one connection going over Tor is a big risk that forces the user to constantly recalculate the information horizon. Easy mistake to make.

>>gizmo6+jj
Why does your logging system rely on the order of entry insertion and not on the entry timestamp?

>>qualud+Hy
Haven't heard of decentralized vpn yet, have any suggestions to look into?

>>1f60c+TU
Heating them in the oven to clean off any identifying residue.

>>dredmo+Lh
I still read my "primary" newspaper like an old newspaper, in a sense.

Yes, I read it on my iPad through an app, but it simply renders a PDF of the actual physical newspaper and its layout.

So there's no way to fit dynamic ads, JavaScript nuggets, etc. They can't really determine what article I read.

I think that should really be the norm for electronic newspapers. How is it in other parts of the world?

>>george+4J
Equally bad. Freedom of association is also an enumerated right. Without demonstrable cause, none of the government’s business. Yes, I’ve been protected from such harassment thanks to that right.

>>dalbas+HO
> almost any data point can be predictive of almost any behaviour.

This isn't really true, though, even in theory. In practice it's much worse, as we aren't very good at using even large collections of data points in most cases to predict behavior. We can in some very few, narrow contexts occasionally do better (sometimes much better) than a random guess once in while.

>>Scound+n41
I would use an acetone soak.

>>hyperb+vl
It's also useful forensic data if your site is ever hacked.

>>sidlls+K81
I didn't mean it quite literally, and specified that I'm not suggesting that police had something like this in mind. My uneducated guess is that police were after something specific relating to other information that they already had. That's generally how police investigations work.

That said, the one relatively broad concept where "we" consistently do better than random guesses is ad-tech, which is where the bulk of private efforts to this effect are concentrated currently. The premise here is quite literally "every data point is predictive of behaviour," behaviour being stuff related to the goals of advertisers.

It's not a huge leap to suggest that fb & adwords' system can be used to predict crime, insurance claims, HR-related stuff etc.

>>hannia+831
Two providers that I know of are Sentinel vpn and Mysterium vpn.

They‘re like tor where anyone can run their own node, but unlike tor there is a financial incentive to run them because they come with built in payment processing solutions via cryptocurrencies.

Some people are skeptical of cryptocurrencies but I consider this to be an excellent use case:

Securing coordination between actors that don’t necessarily trust each other through market incentives.

This would incentivize people to run their own nodes and it would be less like tor where most exit nodes are allegedly run by intelligence agencies.

>>dredmo+nI
With some vpn providers you can look them up in court records to see if there are any mentions of them keeping logs.

>>nullc+O7
An example of using IPs to combat abuse is Wordfence. It's a WordPress plugin which blocks traffic from known abusive IPs. A quick glimpse at the "live traffic" for one of my websites reveals several IPs within the last hour that have attempted to access the site which were blocked.

A site I was repairing after a hack fortunately had server logs which included IP data. That IP allowed me to identify the specific exploit used.

So, there are definitely uses for IP data in security terms.

>>user39+DH
I this case, I think it's a genuine mea culpa from the FBI, without explicitly admitting they were wrong.

The subpoena, and USA Today's response [1] paints a picture of an incompetent and/or inexperienced FBI agent, who is unaware of existing Justice department guidelines specifically prohibiting her from serving such a subpoena.

Reading between the lines, citing "other methods" is the FBI's way of quietly withdrawing a subpoena that should never have been served.

[1] https://storage.courtlistener.com/recap/gov.uscourts.dcd.231...

>>simfoo+5L
Same here. They could send out a daily e-paper though (and some do!).

>>sidlls+K81
We may not be good at this, but the collective wisdom at most corporations states that a best predictor of what someone will do, is what they have done in the past. My point is that it is being used and inferences are drawn regardless.

>>a3n+2c
How does HN play into this at all?

The FBI served USA Today with a subpoena. USA Today's lawyers replied to the FBI, stating that the subpoena is "not authorized under federal regulations, and object to its service" [1]

[1] (page 15) https://storage.courtlistener.com/recap/gov.uscourts.dcd.231...

>>lxm+(OP)
They're just going to get it from they payment providers like Visa, Mastercard, etc. Maybe even ISPs. Just because they gave up on one avenue doesn't mean they won't use other methods to get what they want.

>>simfoo+5L
Ads technica disables tracking if you are a paying subscriber last I checked

>>nexuis+1G
https://en.wikipedia.org/wiki/Bureau_of_Sabotage

>>lxm+(OP)
This is almost certainly a case of attempted parallel construction.

Indulge my hypothetical:

1. A newspaper article is posted at 1PM.

2. A suspicious comment that contains nonpublic, incriminating information is posted on a message board at 1:15PM. That comment links to the USA Today article. The message board is outside of FBI jurisdiction.

3. The Feds already know the identity of the commenter through an illegal and/or unconstitutional means of data gathering. (Think of all the secret taps built into AT&T's networks, their Stingray devices, all of the unpublished vulnerabilities exploited every day by TLAs, etc.)

4. If the Feds can get the identities of everyone who read the article during the window immediately before and after that comment's submission, they may be able to use other information to narrow that list down to one or two suspects and use that to sway a judge to issue a search warrant. Because they already know who they're looking for, I wouldn't expect this "narrowing down" process to be particularly even-handed.

>>lxm+(OP)
They need to be penalized. For every high profile incident like this, there are many more that never reach public scrutiny. The leadership needs to be made accountable.

>>tooman+Al1
I think describing this as a "mea culpa" when the FBI has refused to admit any wrong doing or mistake and also has issued nothing like an apology, is not reasonable.

> "The subpoena is being withdrawn because intervening investigative developments have rendered it unnecessary," an FBI spokesperson said.

I think this is nothing like a "mea culpa", but instead has absolutely everything to do with managing the establishment of precedents to work in the favor of the FBI whenever possible.

>>Scound+n41
I highly doubt baking them will do that.

>>tooman+on1
Well, the story has appeared on HN recently, so ...

It's an inside HN joke, to point out that the less exposed something "bad" is, the more likely it is to continue, and if it becomes widely known (not merely publicly available), then there is often visible backpedaling.

>>qualud+He1
I suppose nothing is stopping nodes from logging activity from each ip address?

>>Scound+6S
I’m not American and I’m curious what is your personal position on this. And I wonder how far your logic transfers to the real world. If FBI subpoenas you to show CCTV records in your convenience store to identify a suspected child molester, do you insist you should fight that subpoena and “let the user know”?

To what extent do Americans want to not help investigate crimes to defend corporations “protecting user privacy” (all while these corporations collect and keep the data to themselves and do as they please, including profiling and selling it to third parties).

I guess there is some greater good that your position intends to stand for, but what is that greater good?

Genuinely curious.

>>hannia+DF2
I don’t know. Maybe there’s a hash value for the code that you can look at to make sure it’s the right code. Haven’t personally looked into this.

>>donny2+NM2
Not American either. As for fighting the subpoena themselves, that's the corp's choice, but kinda nuts to not let the user know about it if they're not going to fight it themselves. But falling over to a government demand (valid or not) protects you from future antitrust accusations.

Answering this from the point of view of an informal request: If it's not a situation of active harm, then they have time to get their court order. If it is a situation of active harm, there should still be a process to ensure the request was valid after the fact. Police can and do lie to get access under false pretences. Without a valid followup process, you can't be assured their request is legit.