AOL Happily Releases Information to Cops 124
DigDug wrote in with a scary article about how
closely AOL cooperates with law enforcement agencies. In
the article, a local (Loudoun County, VA) Sheriff's Deputy is quoted as saying,
"AOL is extremely law-enforcement friendly ... they don't
hold anything back." While I'm sure we all want criminals
brought to justice, there are some serious privacy concerns
here. If you send e-mail to someone with an AOL account,
apparently you'd better be v-e-r-y careful about what you say.
Re:Let's create free AOL-like services... (Score:3)
(2) If someone emails you with a credible intent to commit a murder, you're failure to present that to the police does not make you a de facto accessory. In the majority (but not all cases) a failure to act does not impose criminal liability. Most often, you have to give aid, or participate in the planning, with a culpable state of mind to be an accessory. If you go to an extra effort to withhold the evidence, you may be guilty of obstruction of justice. If you intentionally deceive and make false statements about the evidence, you could be charged under one of the many perjury derivatives. (Perjury usually requires a sworn statement, but there are satellite laws that cover filing false reports, etc.) You are correct that someone could come forward with the letter as evidence. This could be very persuasive toward establishing that you were part of a criminal conspiracy. This is especially true if coupled with other circumstantial evidence involving the crime. In mixed situations, your failure to disclose the letter or warn the intended victim could make you a liable for a tort against the victim (and subsequently his estate), or against his close family for wrongful death.
(3) I think you are correct. I have never had a personal account with AOL, but I was with a company that did business with them in '93. I do not recall there ever being a representation that your handle created anonymity. I don't know what AOL considers from their point of view, but it is in issue as to how cozy they are with authorities. The article seems to imply, without overtly stating, that AOL may cooperate in absence of a warrant. Furthermore, the issuance of these broad warrants in frequency and scope appear to tread real close to constitutional violations of search and seizure.
IMHO, I think what scares the pants off of these companies is that they do not kiss the a#$ of the authorities, a zealous prosecutor will hit them with RICO charges. I am not a personal fan of RICO, its too big a weapon in the prosecutors arsenal. Its scope for seizure of personal and corporate assets is far too large, and its burden of proof is entirely too small.
Get paranoid or get caught (Score:1)
Re:Let's create free AOL-like services... (Score:1)
If the courts rule in favor of service providers who disclose such informations, people will start forming their own "black-market" networks to avoid these firms.
This argument could be made against any bar/pub/drinking establishment who employs a bouncer/security person/off-duty cop.
The message sent by employing these "enforcement" types is clear enough: you might break the law, but we won't let you do it HERE if we can stop it!
There are, and will be, people who clot into clandestine gatherings for drinking/gambling/fighting* as well as for trading and partaking in illicit things. But limiting access, reporting crimes, etc. removes the legitimacy of these actions and DOES, in fact, deter otherwise-good people who might be tempted to break the law. *standard disclaimer. No diatribe is planned, intended, or insinuated for or against drinking, gambling, fighting, et al, and none should be inferred.
Re:This is stupid. (Score:1)
-Al-
Re:Please be realistic... (Score:1)
Okla City bomber - Timothy McVeigh and had 19
years in with the US Navy. He reached an out of
court settlement with AOL for $$$$$.
Re:The real issue is evidence (Score:2)
Recently there was a big international company with a cracking/phreaking problem (the problem was really with a piss poor attitude by management to enforce a good security policy).
Their lawyer and CIO wanted to tie together all the intrusion detection systems, the firewalls, some sniffers, a certificate authority, and who knows what else, with the goal of providing a chain-of-evidence that they could hand (or email to) some prosecutor somewhere and have it stand up as evidence in court. Oh, and since the cracking attempts are coming from europe/russia/australia, can the system be completely international and stand up in any court.
"Looky here, Mr. State Attorney General, we were attacked by a ping flood from these IP addresses, and we carefully recorded each and every ping packet hitting our firewall in this log file. We want you to prosecute."
For some reason, Dilbert strips weren't funny for weeks after that episode
But on the flip side, imagine what a naive prosecutor would do if someone handed him a log file with some spoofed IP or email addresses in it, showing some kind of real world crime (drug dealing or car theft). Granted, there should be other evidence to back up any prosecution, but cases have gone to trial on less. That's the scary part.
the AC
Sure, they'll work with the Law . . . (Score:1)
Interestingly, while AOL rolls over for the government, they seem to have little interest in helping the net community keep the neighborhood a nice place to live. Of course, any particular individual can't do much to hurt AOL, while falling in the government's bad graces might possibly be fatal to its financial health.
Jake96
Um, backup copies? (Score:2)
That would be my guess. Especially in an "ISP" full of net-newbies, said net-newbies probably crash their e-mail on a regular basis.
Hell, I've done it on my college account and had to get the sysadmin to do some really weirdoid stuff to get my unread mail back. (Learned some interesting lessons about VMS along the way, but that's another story.)
That's what Freedom's for (Score:1)
I was there to see these guys announce their second beta at DEFCON and the software looks really sweet. In a nutshell, it allows you to create cryptographically secure pseudonyms that are mathematically impossible to trace to you. All packets you send are encrypted multiple times through five different servers in different countries, none of which know anything but the server before and the server after. When your packets leave this "cloud", they can come out in any country you choose: Netherlands, Mexico, Japan, wherever. REALLY controversial stuff, and very very cool!
The best part is that their client is about as easy to use as the AOL client and handles everything automatically, including a built-in "cookie jar" feature to capture all Web cookies and assign them to the appropriate pseudonym (so nobody can deduce connections between nyms through cookies) and an email service that works with your existing POP clients.
Unfortunately, the first version is only for Windows 95/98, but even that is part of their great business plan: get it out to that 95% of the computer community first, where it can do the most damage, then make the Linux/Mac/whatever versions later. At least we have VMware and Virtual PC to run it on other platforms in the meantime.
My only fear is that, even though Zero Knowledge Systems is in Canada, the US will somehow be able to shut these guys down as soon as they figure out what's going on.
Disclaimer: I'm not affiliated with ZKS in any way other than that I know the guy who drew their icons. :)
Melissa was a big deal. (Score:1)
I agree that a macro virus is not as technically challenging to write as one that encrypts the boot sector, but it seems to me that many hackers are too quick to thumb their nose at it. Consider the following:
1. Melissa has got to hold the world record for speed of transmission. Isn't that worth something? Vicodin came up with IMHO the best virus transmission scheme yet. Of course, maybe this is just a testament to the number of morons in the world.
2. The first macro virus I ever saw was also the creation of Vicodin. It was the one that put "Dr. Diet Mountain Dew" in your registry. This virus would concatenate your name and the name of a printer and put that string as a comment on every other line of code. This was done in the hopes of making it harder for scanners to detect. In short, it was a stealth macros virus. It could also override the 'Macros' dialog box so that you couldn't see it was there. Now come on, that's cool!
I happen to think the people who make viruses should be punished, but I still enjoy looking at the source code. It doesn't matter to me that they're written in cheesy visual BASIC; I recognize a hack when I see one.
Chernobyl sounds nasty, but far fewer people have been infected by it. I'm sure that's why the media doesn't talk much about it.
One last thought... If you are dumb enough to drive into a telephone pole and your air-bag fails to deploy, you can sue the manufacturer of your car. You can sue (and win) even though you are the real idiot.
The technology to prevent macros viruses from spreading has existed for years. Emacs has a nice solution. So does Java (the Java virtual machine). Why do you think there are no IE or Netscape viruses? It's because these products use a technology that encapsulates the code, be it Java or VB, in a virtual machine. Why doesn't Microsoft use the same technology in Word?? Does this make MS negligent in the same way that a car company could be held negligent? Do you think that's air you're breathing? Hmm...
search warrants vs. subpoenas (Score:2)
Raytheon wanted to find out which of its employees were badmouthing the company in public via AOL, so they sued "John Doe," which means they filed a lawsuit which said, essentially, "We don't know who we're suing just yet, but by Ghod we're suing somebody." With the civil suit filed all nice and pretty, they typed up some subpoenas demanding the identities of the John Does, and carried them over to AOL, who turned over the true names behind the aliases.
Here's the absolute best part: as soon as Raytheon knew who the employees in question were, they dropped the lawsuit. Then they either fired or disciplined all the employees involved.
This is called a tactical lawsuit: it's one where you don't give any sort of damn what the suit's own outcome may be; you file it just to make sure there's a lawsuit in place so you can do things you ordinarily wouldn't be allowed to do. Here's how it works, fable2112 [mailto]: Say for example that I hate you and decide to kick your ass. If I ask servtech [servtech.com] who you are, they will promptly tell me to go to hell, which is as it should be. Since that approach won't work, I'm going to file a lawsuit: I sue John Doe for inducing mental distress in a SlashDot article. Nevermind the suit is complete crap. Nevermind it will never see trial--a lawsuit is a lawsuit, and I can use it to start issuing subpoenas. I send a subpoena to servtech [servtech.com], demanding your name and billing address. Are they going to tell me to go to hell? Of course not! I've got a subpoena--a court order!--demanding to know who you are. So instead of fighting it, they turn over your billing information. Now that I know where you live, I can drop the bogus lawsuit and cheerfully proceed with the asskicking I've decided you deserve.
Is any of this bothering you yet? Keep in mind that up to the actual asskicking, everything I did was completely legal. The great big question here, whether it's about AOL or any other ISP, is how much cooperation should they have given me? The obvious answer is "none." The legally viable answer is somewhat more nebulous.
Just something to contemplate.
Disclaimer: I don't actually want to kick your ass.
--
Re:This is stupid. (Score:1)
A clever prosecutor could argue that: (1) Its common knowledge that criminals engage in conspiracy using the AOL service (2) It would take little effort for AOL to maintain email logs (3) They intentionally looked in the other direction to allow this activity to occur and further their business interests. Prosecuted under RICO, they could seize most of the corporate assets and possibly even the private assets of the executives. The executives would have the burden of proof of showing that their assets were not fruits of the criminal activity.
Personally, I wish AOL would show a little fortitude and act in the interest of personal privacy. I think that's the trade off you have whenever you choose a big, public business as a service provider. While you may get some corporate stability and perhaps additional services, you can expect them to CYA when push comes to shove.
AOL and warrants (Score:1)
"In 1998, Senior Chief Petty Officer Timothy McVeigh (no, not the bomber) was dismissed from the Navy after being outed by an America Online representative who received a phone call from a Navy investigator--with no warrant, no court order, no proof at all that AOL was legally bound to release the information that connected McVeigh to a user profile that said he was gay."
Law enforcement does not just pursue criminals, they pursue suspects, and the information they may get from AOL includes information/messages about people other than the suspect. I went through some pretty rough shakedowns by police myself merely because I was friends with someone who was suspected of engaging in illegal activities 8 years ago - of course all his frends also became suspects. Six months later they finally decided he hadn't done anything wrong. In the meantime I was confronted by police and questioned at work, in class, and at home. I was even told by one officer he hoped I got my ass fired from work (since they were confronting me there) because I was obviously a drug dealer!?!?!
Entrapment (Score:1)
* Why should I care? I don't engage in any of this activity.
* I don't want people online to be doing these things.
That's disturbing from a philosophical perspective. However, I think that AOL is engaging in the practice of entrapment for greedy corporate purposes.
Should you have AOL (I don't thankfully), I challenge you to find a larger area than the "perverted" message boards and to find a member created chat room that has nothing to do with sex. Find me all of the profile advertising escort services. AOL could easily crack down on behavior that would bother mothers. But they don't. Why? I'll bet that 25% of their revenue stream comes from this areana.
Should someone be allowed to open up a house where no one yells at you for smoking crack and then later calls the police after you've been smoking there for a year? Something is clearly wrong.
AOL creates a forum in which "perverts" can exchange information extremely easily. They provide message boards which are hardly regulated, rooms which run rampant with sex requests, and eventhe ability to send e-mail from an "anonymous" account (you don't have to input any person information to create additional accounts!). AOL has a way of separating the parents from the perverts: Terms of Service (TOS). This keeps illicit behavior out of the Moms' chatrooms, but who is going to TOS someone in a memeber created chatroom like "LittleGirlPics."
Another concern I have is the implication of AOL users being cited for online activity that occurs outside of the AOL domain. If you do something within the proprietary service, AOL certainly has a right to stop you. But, if you are surfing Usenet or the Web and come across salacious material, does AOL have any jurisdiction? I think not.
I think that users should send a message to AOL: prosecute everyone and stop facilitating illicit activity or allow it to happen and do not cooperate with law enforcement agencies.
There's a solution: use online service where you are afforded more freedom.
AOL is too big to make enemies out of the feds. (Score:1)
Loser a user or two, or fight the man..
A Question (Score:1)
Of course, I think it's insane to trust AOL, period. I imagine that if someone who ever used their service were to be sued by them (say they started their own, more successful AOL type service) AOL would probably make sure anything uncomfortable or embarrassing to them that they sent through Email on their service would be released to the media. I distrust the government, but I distrust AOL even more.
Re:Road Runner - for the record (Score:1)
Ask Harris or Mark about Scott Crain. =) They'll set'cha straight.
Scott
AOL Spamdinista
Please check your facts before you open your mouth (Score:1)
Well, I guess we now see exactly how bright you are.
1) AOL's headquarters are in Dulles, VA (Sterling, VA if you want to get picky). Loudon County.
2) Not only that, Anne Arundel county is in Maryland, not Virginia.
3) And last, sorry, no. Cops need a court order to get info out of AOL. Noone can just walk up and take any information they want, cop or not.
Sure, if you want, go ahead and dredge up AOL's past transgressions and claim they're still valid today. But I could just as easily say all the British are bastards cause they want to tax the hell out of us Americans. Sure, it happened some time ago, but it's no longer true.
---
Re:This is stupid. (Score:1)
The buzz (meaning I have memory of it but no documentation) was also that AOL was in the news a few years ago when it gave the FBI files that were allegedly child pornography. The files, however, were encrypted and the FBI couldn't open them. An almost funny story, except when you stop to think about it. The buzz was that there were no warrants and that AOL monitored and gave up copied files based on a FBI request. AOL took some heat for that in some groups, but because all actions were under the ruberic of 'stopping child porn' many people were willing to overlook it. That ruberic has been the magic phrase every since and was the rallying cry for the CDA (Communications Decency Act). AOL, unwittingly or not, sets precidents for how far privacy can be ignored and I wouldn't be surprized if they are cited as examples in internet privacy legal actions in the future.
So maybe this isn't so stupid. AOL honors all warrants, frivilous or not, and sometimes doesn't even need one to give up their customers. AOL is setting the tone and raising government expectations of privacy invasions.
Re:No need for /. people to worry, but... (Score:2)
Here, here! (Score:1)
Their understanding of the technology is no limited that they'll take a "shotgun" approach to law enforcement where information technology is concerned, taking everything they can get their hands on, without a thought as to what it is, or what it's used for.
Hopefully, as more technologically savy folks get into the justice system, this will change, but for now, it's really another growing pain of having a fundamental shift in the way things are done.
That doesn't mean, however, that that's an excuse for some of the things that are done by the criminal justice system. Any violation for fourth amendment (is that the right one? Search and Seizure?) rights in a computer related case should be dealt with just as harshly as it would if it was a non-computer related crime.
Re:Here is a few tips (Score:2)
http://www.zeroknowledge.com/
Sensationalized common sense strikes again (Score:2)
Now, wait a minute. Any legitimate business of ANY kind (not just an ISP) tends to have to cooperate when court-ordered to release records pertaining to a possible crime.
But since the great polarization of all net issues is "the net is full of kiddie porn and hatred" vs. "our right to privacy is being taken away"
You know what really burns me about this article? It's perpetuating the link of "Internet user" to "child molester" in much the way that the media has in the past, say, linked "male preschool teacher" to "child molester." *sigh*
There are sickos out there, and plenty of them ARE on the net. However, most people on the net are NOT engaged in illegal activities beyond the rather generic sort that might be expected of a more-socially-liberal-than-average sector of the population (smoking a bit of pot here and there, breaking laws against consensual sodomy, providing alcohol to 18-20 year olds, "stealing" the occasional office pens and pencils, that sort of stuff).
And if people were seriously wasting their time prosecuting THAT, and using it as an excuse to read e-mail, then I'd worry. And the Raytheon bit does bother me. I'd've liked to see an article on that rather than this done-to-death "child molester" and "trench coat mafia" concern.
OK, Let's all Calm Down Here.... (Score:1)
2. AOL says they will only do this with legal court action - i.e., a search warrant.
3. If you've got a problem with the consequences, don't freaking do it. If you can't do the time, don't do the crime.
NOTE: Parse crime as action, not illegal activity.
Basically, it comes down to this - don't say it online if you wouldn't in real life, and don't worry about this supposed "invasion of privacy". There is none. This article is a fluff piece about the relationship between the local sheriff and AOL. This is nothing new. If you think your ISP/university/ADSL provider/whatever wouldn't release information asked for in a warrant, I got a bridge in Brooklyn you might be interested in.
Barney Fife of the FBI (Score:1)
Chuck
Re:The real issue is evidence (Score:1)
keeping private information private (Score:2)
Looking at the outrage here, I have to admit it's a little surprising. It's been common knowledge that law enforcement hangs out in "questionable" chat rooms and that ISPs have to pony up info when ordered by a court.
The answer is pretty simple: don't say anything online or in e-mail you wouldn't want a police officer to hear in the first place. For most of us, that doesn't put a whole lot of restrictions on our daily conversations. And for those who are dumb enough to say anything otherwise, well, you most likely deserve to be busted anyway.
Of course, in the immortal words of Dennis Miller, that's just my opinion. I could be wrong.
Re:This isn't good at all. (Score:1)
So submit something. (Score:1)
Of course, there might be, and you might be composing a reply right now saying "yes there is, jerkoff!". Great. Why haven't you submitted it to Rob and Co. yet, then?
If you've submitted something fairly newsworthy, and Rob n' Co. have ignored it/blown it off, then you've got a reason to complain.
Re:Big Brother? (Score:1)
Out of the entire article, only one thing bugs me (Score:1)
AOL is definitely NOT an ISP, they are a Content Provider, just like MSN and Compuserve.
As a tech for an ISP, I have a hell of a time explaining this to new customers that call in and wonder why, when they click on the connect button, it just sits there counting up the time and nothing else happens.
Re:Why am I not surprised ? (Score:1)
I begin to wonder about this one...
Scott
AOL Spamdinista
Re:Hushmail & Anonymous Remailers (Score:1)
So maybe the NSA has a cryptanalytic attack against IDEA that effectively reduces its difficulty to that of brute-forcing an 80 bit key. That's good! Then, if they have real reason to suspect someone, they can get the evidence they need. However, they wouldn't have the resources to crack everyone's IDEA encrypted messages just for the hell of it. It's all about balances.
Re:This is stupid. (Score:1)
Scott
AOL Spamdinista
Mailbox timeouts (Score:2)
Unread mail is kept for 28-30 days (Depending on when that database is reaped). This gives people a decent amount of time to get online and read their stuff. I think you'd be pretty mad if you went away for a few days and your ISP wiped your mail spool cause it was 'too old'.
Read mail is kept available to be re-read/kept as new mail for about 48 hours. (again, dependent on the reaping schedule). I know this has saved MY butt a couple times when I forgot to save something.
Deleted mail (read or unread) is deleted after about 24 hours. (That reaping stuff again). Currently AOL members can't retrieve this mail (Much to some people's dismay), but this is changing in the forthcoming 5.0 client, which allows members to access the 'Previously Deleted' folder of their mailbox (What we here on staff call the Recycle folder)
Scott
AOL Spamdinista
Re:This is stupid. (Score:1)
-Al-
How bout filter words? (Score:1)
Or is that a "no comment"?
Re:No need for /. people to worry, but... (Score:1)
So even though I dont use AOL (well aim sometimes) Im affected.
Re:Road Runner - for the record (Score:1)
I use RRlogin to authenticate with tas although I'm not sure where it came from (I just have the binary). Has anyone seen a sight with the source? Also, I'd really like to thank the guy who made it and play with the code. (My friend wrote a windows version that is a little slow and may benefit from seeing someone else's ideas)
-matt
Re:Question (Score:1)
Re:Road Runner - for the record (Score:1)
I found the address for rrlogin.c [qualcomm.com]
You can email Phil Karn [mailto] (it's creator) if you'd care to thank him. I did.
Re:Big Brother (Score:1)
Road Runner - for the record (Score:2)
Re:Big Brother (Score:1)
They don't send their logs & mailboxes to the police...
To be closer to the computer world (and to return to Bill Gates), aren't we on Free OSes to avoid a monopoly on information protocols, to avoid that somefirm (M$?) can get information about us and about our lives, our hobbies and our privacy ? If the protocol are closes, we don't know what kind of bomb is inside...
In France, where I live (excuse my poor english!), the Army has decided to go further into Linux because they fear that their secret could fly away if they rely too much on NT...
I don't know where they are into their Linuxisation, but I regret they have taken so much time to realize how close computing endanger their secrets...
For France Telecom (our national Telco), who was very pro-microsoft, they are going deeper into Unixisation... Strange, isn't it?
Big Brother? (Score:3)
Big Brother (Score:1)
-my $0.03
Please be realistic... (Score:2)
AOL, the world's largest Internet service provider, or ISP, tells its nearly 18 million customers it won't read or disclose private communication or personal identifying information except under a "valid legal process."
This is standard practise for all ISP's, and for that matter any legitimate business... if the Authorities believe that you have information that will help them solve a crime, they will ask for your assistance...
For people to see this as a problem is ludicrous, or perhaps the people that see it as a problem have something that they are hiding. The ISP's do not sit there and monitor everything you do, but if they are presented with a warrant to release information to the authorities then they investigate.
Just chill out and get a sense of reality on this thing... it's for people's benefit...
And this is different from any other ISP how? (Score:4)
The only reason this even makes the news is because AOL is so huge. If you would actually read the article and understood even the basic laws that telephone companies and ISPs have to operate under then you would know that AOL is operating no differently then your mom & pop ISP shop in the middle of nowhere when it comes to dealing with the law. So if you would get your head out of your ass and actually think, you would realize that AOL is not the problem in following the laws, but the laws themselves are what are not protecting your privacy.
If you are really worried about your privacy and you are worried about who is giving out your personal information, then maybe you should find out how that information is protected (or is not, depending on your pov) and then work to have the laws fixed.
No, I don't have an AOL account, I don't care to have an AOL account, and I could care less if AOL lives or dies. But I have worked for ISPs in the past and I know how they are bound legally and what is stated as the AOL policy for giving out information to the authorities is precisely what is required by law.
The only reason I felt the need to even make this post was because the comments that I saw were so knee-jerk and unthinking that, aside from the lack of all-caps, they could have come from AOL users. If AOL was voluntarily giving out user information without the benefit of a warrant or subpoena then this would have actually been newsworthy.
--Andrew
Re:GNU B-Day (Score:1)
Let's create free AOL-like services... (Score:1)
Consider the following. What if a person sends an email message confessing that he purchased a gun, and intends to murder a certain person. In many countries of the world, this constitutes reasonable cause for arrest and interrogation.
Personally, I think that privacy is more important, because what AOL is doing has only one outcome: People should start ditching their AOL accounts.
If the courts rule in favor of service providers who disclose such informations, people will start forming their own "black-market" networks to avoid these firms. Just like open source is doing to commercial software.
In light of what we see, perhaps we should start forming those free network services to rival AOL right now...
Here is a few tips (Score:1)
Get a few POP3 account where they don't ask any question about you. They can be hard to find but they do exist. Get also into an anonymous service. It's important to cross as many country borders as possible to make it virtually impossible to get all necessary court orders to reveal your true identity.
With fetchmail you just drain all your mailboxes to the local Linux account when you connect to the Internet.
This will make it a real pain in the *ss for anyone prying into your privacy. Use also PGP when emailing your Linux buddies about your latest C++ or Perl tips.
//Pingo
No need for /. people to worry, but... (Score:3)
These people never heard of PGP, and as far as they're concerned, their email is private. These are the people about whom we should worry; the technologically ignorant are most at risk.
Re:Here is a few tips (Score:1)
Haven't used it myself (mainly because I don't have anything to hide), but it doesn't look difficult to set up. I don't know how secure it is, though.
Re:Big Brother? (Score:2)
I am not sure whose side I am on on this one.... When we have attacks underway, and customers down, law enforcement is a good thing, and we want the cops to do everything possible.
However, some of the courts are "rubber stamp", and all it takes to undergo "due legal process" is asking permission.
The one thing that no one has mentioned yet is enforceability. At one point, AOL had >50Gb dedicated to tree.exe, some stupid xmas windows program, in their mail spool. Our backbone, up to OC-48 (~10 Gbit/sec) in some places, carries a TON of information. What can you use to sniff that? If you can sniff that, what do you do to log the packets that you sniff? And then what do you do to analyze them?
What scares me is the lack of understanding on the part of law enforcement. You don't tap the 'Net like you tap a phone line, and they just don't get that. "No, no, I don't want everything on the backbone, just the e-mail from this one user." Well, the backbone is fiber across the entire continent, and you want me to filter on layer 7 information?
What we have to watch out for is legislation like that which recently passed in Australia, forcing ISPs to comply with technologically impossible court orders.
Eric Brandwine
Crazy idea! (Score:1)
Becoming common practice (Score:2)
Smaller ISPs are all learning the hard way the courts always rule for investigators, so at this point most don't even bother asking for a warrant before allowing access. I've watched it happen at a couple of ISPs where I've done business, where the cops wanted either a straight wiretap off a router, or a copy of all email from the main server and backup tapes.
Its not that difficult to direct traffic from a logon session through a specific port on a router, and I had one ISP pay me two days wages just to do it once (without breaking their network like they did). They had the cops camped in their offices waiting to capture all the traffic from a suspect's sessions, thinking he was dealing drugs from his email account or over IRC. He wasn't, but it took them a few weeks to figure that out. At first, they expected to have an exact copy of his screen based on IP packets going across the network, by the end they were happy enough with a tcpdump file. The guy just played on the web a bit, never even hit any pr0n sites.
So this doesn't surprise me at all. I'm surprised anyone is shocked by the revelation, tho.
the AC
Re:Why am I not surprised ? (Score:1)
Re:Please be realistic... (Score:1)
Re:Road Runner - for the record (Score:1)
As for the company minding, they don't at all. They make sure the NIC they give out works under Linux and they didn't care that I had a three box network when they installed it, in fact, the guy was impressed that I had print/file/intranet database server on it. He was also impressed with Linux itself.
The coolest thing was when I ordered it the second time (I moved) I told the guy I used Linux and was capable of setting it up myself and he gave a NIC right there so I could have it already set up before the installer came around.
Now if only they'd relax the packet filters on the routers and "officially allow" IPMasq (though the rules state that stuff in a Windows context...). I knew a guy who decided to try WinGate to connect multiple computers and immediately received an email asking him to stop. Nobody I know using Linux has gotten such an email (including myself).
Re:Crazy idea! (Score:1)
Re:The real issue is evidence (Score:1)
Practically however, extradition would not happen. If every virus author were extraditied to US courts to be senteced without a trial, it would not only clog the prison system, but the US would appear to be on a witch hunt, marring our appearance even further in international politics. Plus, Chernobyl isn't new anymore, it's not viewed as an issue by the masses. They just pay attention to what they are told by mass media, which went crazy with Melissa and makes a slight mention of Chernobyl on maybe a monthly basis. (around the 26th, of course.)
This isn't justice. It's a game of saving face. make it look like you're coming down hard on the bad guy, even if he's not all that bad.
Re:The real issue is evidence (Score:1)
Actually, it is possible to prove such a thing if one:
a) keeps a hardcopy of the logs as they're generated, or,
b) uses a very strong hashing algorithm like MD5 on the saved log files.
Can't say whether or not AOL does either of these things, but it certainly is technically possible.
Re:Please check your facts before you open your mo (Score:1)
Just pointing out that you didn't really refute anything.
phil
And backups! (Score:1)
Of course AOL or any ISP has to comply with search warrents and subpoenae. But they can't produce what they never had, or had deleted. An usually they can't be faulted if it was a reasonable course of business. (Beware the
Of course, if you leave stuff on their mailspool, that's your fault. But if they keep their IP/mail-logs forever, beware traffic analysis.
-- Robert
Re:The real issue is evidence (Score:1)
I think he meant that it was harmless since it had to be executed by an Office app before it could do damage. If Microsoft Office didn't have such a moronic setup, it wouldn't have been able to do any damage. They default it to run macros automatically? That seems extremely stupid. If the user doesn't know enough to be able to turn them on or off or use some other setting, then he probably has no business running macros in the first place. He'll just get into trouble, as the whole Melissa episode proved.
Defaulting to run macros automatically, just because it makes it easier for a user to run things without knowing what they do sounds like poor reasoning to me. It's kind of like putting a sensor above your front door to automatically open it whenever someone walks up to it. If people value their machines and data, you'd think that they might want to learn a thing or two about how to keep them safe.
Most people really don't have a clue about what their computer does. It's hard to be sympathetic when we've had to deal with a new virus popping up every couple months for years and people still don't think to do anything to prevent things like this from happening. Are any of these people complaining to Microsoft about it's incredibly poor security? Nope. They will just continue to whine about the nasty hackers who crash their computers. It was a freaking macro virus that any 12 year old could write that simply exploited an idiotic flaw in Microsoft's software! If we don't take steps to at least create minimal security for our computers, then we have nobody to blame but ourselves.
Re:Crazy idea! (Score:1)
Just because you do not take an interest in politics doesn't mean politics will not take an interest in you -- Pericles (430 BC)
Re:Road Runner - for the record (Score:1)
Re:GNU B-Day (Score:1)
Re:The real issue is evidence (Score:1)
As long as the hash itself is protected. To be secure, the hash should be printed to hardcopy (or at least widely distributed) as soon as it is created, rather than being kept on the same system, where it can be replaced along with the file.
Re:Let's create free AOL-like services... (Score:1)
Actually, I agree, but ... (Score:2)
... you see, that wasn't the focus of the article.
I did read the Raytheon part. And I certainly don't like the implications of that.
However, is that where the article was focused? No, it is not. The article was focused on murder threats and kiddieporn on the one hand, and "loss of privacy" on the other hand.
That's what JoeAOL-UsingReader is going to come away with. And that's why I've got a problem with the article. Had it been focused on the Raytheon incident, that would have been another matter. THAT is actually worth focusing on.
Perhaps a compromise solution would be to disallow accessing ISP records for a civil suit?
*shrug*
Re:No need for /. people to worry, but... (Score:1)
so widely used. First is because it's simple.
How does extraneous crap like 42 million pop up
ads and an equal number of splash screens
before you get where you are going == simplicity? Try
A) preloaded on new PC's
B) marketing machine
I do admit the _setup_ process could possibly be construed as being simple, but without a and b....
Re:Question (Score:1)
Here in Rohester, they're even going as far as matching the serial number off the cable modem to your ID. I tried using my login over at a friend's house, who also has RR but is on a different subnet, and it would not authenticate.
I think it might be as a preventative measure against crackers, too. Since it's DHCP, and not everyone uses the NIC they installed for you, they have no idea who's getting what IP addresses unless you have to log in. I doubt they even keep track of the MAC addresses of the NIC's they hand out anyway, for just that reason.
Re:How bout filter words? (Score:1)
There's definitely no 'bad word' filtering in mail.
Re:Actually, I agree, but ... (Score:1)
That's kinda why I focused on it--I get scared when the whole issue gets dumbed down to the point of "Civil libertarians are complaining that AOL helped the police catch a child molester." With that kind of lead-in, nobody notices the significance of the aside: companies and individuals are routinely abusing the system.
And to boot, less critical readers get the thought-concept "civil libertarian" mapped over to "pro-child-molestation." But that's a rant for another time.
It is possible to attempt to fight a subpoena, if you are willing to spend the money on lawyers. However, not only is it perfectly legal for AOL to turn over subpoenaed documents, it's a whole hell of a lot cheaper.
--
Re:The real issue is evidence (Score:1)
Dumbing Down the Issue (Score:2)
Trust me, I was fully aware of the focus of the article. However, the underlying problem here is that until the sensationalized faction war goes away, the REAL problems aren't going to be covered, or will, at best, be buried in articles about Intrusive Government vs. Child Molesters.
If this makes any sense, the real issue here is that the real issues are not being focused on.
:)
/. who uses AOL (Score:1)
Re:search warrants vs. subpoenas (Score:1)
Now that I know where you live, I can drop the bogus lawsuit and cheerfully proceed with the asskicking I've decided you deserve.
In this case, surely you get slapped with a suit for launching a frivoulous suit that you never intended to persue?
- Aidan
Smart Criminal, Dumb User (Score:1)
If a crime has been committed, the police obtain a warrant to search a suspect's home, and they find a "to do" list containing such items as, steal hand gun, purchase bullets, and kill John Brown, then I think that we would all agree that this is fair and relevant evidence for the police to look for. The criminal/suspect was well with in his rights to jot down the incriminating evidence, he was just stupid to do so. Likewise, anyone who places incriminating evidence on their computer2 or the internet without any thought as to if some authority might check it, is stupid.
As for infringing on our rights of privacy, as a sys admin, I have a reasonable idea (and I think most educated users do as well) of what anybody who tries and read/trace, what takes some serious work to find out, and what is nearly impossible to crack. It is simple prudence to keep information that is truly confidential and private in this last category. I would be more worried about some private individual trying to blackmail or steal private information, than the lumbering law enforcement agencies.
This isn't good at all. (Score:2)
AOL employees as a whole don't stand out with their intelligence. I personally know of a few cases where accounts were compromised by just calling AOL tech support and telling them the password was forgotten. Although they're _supposed_ to ask you for full account information including the last 4 digits of the credit card number, some were happy with just some basic information like the name of the account holder and the address.
What I'm trying to say is that the information could be given out accidentally, against AOL's policies (although the press release doesn't seem to confirm this - that's what they were saying some time ago). When someone calls in and claims to be the Police or the FBI, a person's first reaction is probably to try to cooperate. Of course, if the information was disclosed after a court order, they really should have done that.
I think some of us may still remember the story about the homosexual marine who revealed his sexual orientation in his AOL profile. The Marine Corps (or whoever) called AOL, and they happily gave out his information without even confirming that they were indeed who they claimed to be. He was "honorably" discharged only because the media caught the story.
---
Re:Let's create free AOL-like services... (Score:1)
---
Re:Please be realistic... (Score:2)
This has been demonstrated in meny cases. You can read about the most famous one is when a man was discharged from the marines because AOL revealed his account information (without even confirmation that the people who were requesting the information were indeed the Marines). He listed his marital status as "gay" in his AOL profile.
---
Re:Let's create free AOL-like services... (Score:2)
a) What is AOL's policy? I would think that the subscribers have to abide by some form of agreement stating what rights they can expect, and what conduct (on either part) is acceptable. If it specifically names illegal conduct as unacceptable -- as such an agreement probably would -- then AOL might be free to tip off the authorities, legally. I'm not sure that they could on their own, unless they monitor all involved mail, however.
b) If somebody states to another person, in uncertain terms, a *credible* intent to murder -- and it actually happens, then might not coming forward with said evidence constitute accessory?
c) Using an AOL handle might be considered more of a "vanity plate" deal instead of guaranteed anonymity. We drive partly anonymously, in the sense that our automobiles are generally not prominently labelled with our names; however, police may note a plate and get the state DMV to cough up our names. This might be a fair comparison, from AOL's POV.
Re:The real issue is evidence (Score:1)
That, plus it *did* hamper mail servers.
Ideally, MS would tone down their macro language capabilities or provide a security model where one could run them in a sandbox-like environment, but eh.
Re:And this is different from any other ISP how? (Score:1)
Re:Crazy idea! (Score:1)
And, presumably, you are fully acquainted with the entire US Code, and the laws for your state and municipality? And, you read "Congressional Quarterly" and so forth to *stay* up-to-date? Or do you merely *think* you have not violated any laws?
If you *can* honestly say you do, then congratulations. You're probably a lawyer who's well off and can afford not to be constantly trying cases. Otherwise, your statement seems a tad disingenuous, particularly in light of Gov'ts that tend to inexorably restrict legally permissible behavior.
First hand knowledge (Score:2)
The cop and I went to school together, we still keep in touch. This info is from last Christmas time. Do you think AOL has completely cleaned up their act since last winter?
Investigators from many jurisdictions hit up AOL for information all the time, there was even a story about someone being sued in TX because the message went through VA. AOL honors search warrants from any american court, they have to, its the law. They have also cooperated with scotland yard in england, in the big cross-atlantic child pr0n case a couple years ago.
And AOL has so many cops or DAs coming in with court orders, they don't even check them any more, or supervise what they collect. Many courts require chain-of-possession by an officer of their court, so the cop head into the crime scene (AOL headquarters), records the evidence, and then hand carries the evidence back to a court approved storage site. When the evidence is presented in court, there is a list of every person who handled it from collection point to the courtroom.
So the cops grab whatever they can while they have free reign on the system, even for cases they don't have a warrant for. Just because it cant be used as evidence in court doesnt mean they cant 'accidently' see some information which leads them to discover other evidence in a legal manner. A fairly common tactic by overworked cops. Only a serious investigation by a defense attorney can dig up the illegal origin of the evidence, and the cops are counting on major incompetence in most cases.
[And yes, the brits are bastards sometimes, but its the IRS (internal, not inland) that thinks it can tax people all over the world. Grrrr.]
Re:This is stupid. (Score:1)
- tap your phone line
- intercept your e-mail
- get your financial records
- interrogate your employerput you under direct surveillance, etc
for those of you who are complaining about AOL's disclosure policy:If you're really worried about privacy, then those are things you probably ought to addres first. AOL has far less information about you than
I think it makes sense for AOL to comply with the law. If you have a problem with the info that they're providing _legally_ to law enforcement, take issue with the laws, not with AOL.
-earl
Talk is worthless.. Got any URLs? (Score:1)
Use Encryption! (Score:1)
Re:And this is different from any other ISP how? (Score:2)
If they are no different, why do they keep user email on record for extended periods of time. Two days for email that has already been downloaded, and a month for email that has not. This is not a necessary action, and serves only to place them in a position to turn the email and other data over to third parties.
There is certainly nothing wrong with complying with court orders, but AOL should make the effort to take itself out of the path of justice (whether its right or wrong), by not archiving data, and instead simply provide its users with internet access.
Instead they have deliberatley placed themselves in the position to help law enforcement for dubious reasons (moral high ground, "family" ISP, big brother) whatever, it doesen't matter. They should simply provide access, no more.
Re:search warrants vs. subpoenas (Score:1)
I'll forfeit my filing fee, which will pay the gov't for its troubles, but even that may be tax-deductible.
I wonder how many programmers would make good lawyers (and vice-versa)? It seems like both professions require one to navigate pedantic and complex rulesets to arrive at a stated goal...
--
Re:Dumbing Down the Issue (Score:1)
I'd love to audit an "ethics in journalism" class, just to see what's being taught and ignored.
--
Re:No need for /. people to worry, but... (Score:1)
The real issue is evidence (Score:4)
Case in point. Do you remember the Melissa virus? It was traced back to a usenet posting made by an AOL user.
"Who was online at the time?" asked the feds.
"Um... Our logs say it was that guy" said AOL.
And as you probably saw on TV, he was dragged from his house. How hard would it have been to change a log file? It's just 1's and 0's. Is AOL asked to prove that the logs were not tampered with? Of course not. It's impossible to prove such a thing.
And if tampering is not suspected, what about simple errors. Flip one bit and your SSN becomes someone else's SSN. Anyone seen the movie Brazil? A computer glitch causes the wrong person's name to be printed on a warrant for arrest. Do you really believe such errors don't actually occur?
Finally, it scares me how quickly law enforcement agencies jump on people when there is a media frenzy in the air. It's like they smell blood. The local governor showed up when they arrested the alleged author of Melissa. He was pronounced guilty without any real evidence.
So, to restate my point, the real problem is not that AOL or any ISP cooperates with law enforcement agencies. The real concern here should be that 1's and 0's are treated like physical evidence by a public so ignorant of technology they actually believe that if they see it on their screen, if it's written in a file, it must be true.
"I do not fear computers. I fear the lack of them." - Issac Asimov
Not just ISPs, either (Score:2)
I am a regular on a telnet-to Citadel-based BBS called ISCABBS.
I know there have been a few HUGE flamewars related to "release of confidential information" to either a minor user's parents, UIowa campus officials (UI is where this thing is based), and/or outside law enforcement agencies. If I remember right, the most recent case allegedly had to do with a child molester (thereby polarizing everyone even more than if, say, it was some guy confessing to the net-at-large that he uses marijuana). Certain fora have also been killed due to possible conflicts with established law.
However, there IS a policy stating that confidential information would not be released for someone making a suicide threat. (I guess we had too many boys and girls crying wolf on THAT subject.)
I'm just very glad this never came up back when I used to sysop on The Far Side (another, much smaller, telnet CitadelBBS that is now defunct, unfortunately). Then again, considering that I was one of two American 'ops on an Australian BBS