Malicious Compliance and Subpoenas

One of the dirty facts about technology is that it will always be used to abuse people.

Those wonderful field telephones? Yeah, they work just fine as a torture device.

The first photographs were interesting, but photography really took off when they started taking “pornographic” images.

The story is that the first really popular recordings were of women “talking dirty” or making “those sounds”.

The Internet is not really different, and before the internet, all the other methods used for transmitting data from computer to computer. As soon as the techies were able to actually visualize the data, they used it to send pornographic texts and images.

Unfortunately, one of the nasty types of filthy is child pornography. It exists on the Internet, and the good guys have been working to shut it down from day one.

I once owned an Internet Service Provider. A dial-up service. You would tell your computer to connect to the internet. It would call a modem at my service, and we would give you a temporary IP address for the duration of your call. Shortly after you disconnected, somebody else would dial in and get the same IP address.

When you connect to a remote computer over the internet, your computer has a unique, at that moment, IP address. That is how the remote computer knows where to send the responses.

When using certain security tools, you connect to a node. Your computer is now known to have connected to that particular node. That node then encrypts your incoming messages and sends it to another node in the secure network. At some point, your packet pops out of the secure network and goes to its final destination.

The remote computer then responds to your node by sending it back to the secure network, never knowing your IP address.

VPNs work similarly, but have other issues. The biggest of which is that there is a one-to-one mapping from your computer’s IP address to the address you are assigned while using the VPN. That mapping can be captured in logs.

How does this all relate to Subpoenas?

We got a couple from law-enforcement for records.

We did keep logs. I’m good at keeping logs. I use them to figure out who is doing things on my equipment and how that relates to over all services.

One of the cases was from Customs. The first thing it said was that we could not tell the target that we were going to be providing data. They then asked for all of our logs for an extended time period.

We told them, “No. You will provide enough information for us to do a targeted data retrieval.”

They then told us, “We are tracking child pornography.” I was all for that. I finally got them to give us specific time periods.

They wanted all the data for those periods. That is IP addresses to people.

We did our own analysis of those time periods, identified the one commonality, extracted that data, provided it to law enforcement.

We got back a “Thank You”. It made us feel good.

As a good service provider, I want to protect your data as much as possible. I do not allow law enforcement to go on fishing expeditions.

We also got a subpoena from the FBI. Again, they wanted all the records for an extended period. We contacted them and got nowhere. Our lawyers told us, “Give them what they asked for or go to jail.”

So we did. They had told us to “fax the logs” to them and gave us a toll-free fax number.

We pulled the data they were requesting. We randomized the order, so it was no longer in sequential order. This was then turned into PDFs. We applied a noise pattern to the PDFs, randomly flipped pages upside down, then hit the send button.

One of our modems called their fax and started talking FAX at it. Our software then proceeded to attempt to send 11,000+ pages of logs.

We got disconnected after about 200 pages. I reached out to the people at the FBI that were requesting the information and asked them what they wanted to do. They refused to answer.

So we told our computer to resend if it failed.

Five days later, they told us they no longer needed our logs.

In both cases, we went out of our way to:

  1. Make sure that the “request” we got from law enforcement was legit
  2. Make sure that the “request” was actually an order
  3. That the order legally required us to comply
  4. That the order was as limited in scope as it could be.
  5. That we did our utmost to protect our clients.

Liberty Safes done fucked up. They should have waited for a subpoena. Having gotten that subpoena, they should have responded and kept their mouths shut.

None of my safes or lock boxes have original combinations. For mechanical locks, this is good enough. The mechanical locks don’t have magic by passes. You can observe that yourself.

For keyed lock boxes, the locks have been replaced. The circular keys are fairly standard. I went to a locksmith in a different county and purchased replacement locks with cash.

That wasn’t paranoia. That was stupid on my part. I had lost the keys to my big lock boxes in a move and needed to get into them. I drilled the lock out, then was able to open them, since I destroyed the lock, I needed to replace them. Oh, the boxes were empty because we were moving them.

The locksmith I contacted was working out of a work truck that was close to me that day, he didn’t take credit cards, so I paid in cash.

I refuse to get biometric locks nor locks with electronic keypads. If they have biometric locks, then the courts can forcibly unlock them with you. Did you lock your phone with facial recognition? No problem, two burly cops hold you up, and they point your phone at you and “bing” it unlocks.

Did you use a fingerprint to lock your phone? Same thing, they just have to run your finger of the reader and they are in.

If it is electronic, then I have reliability concerns. And it suggests that there can be multiple allowed combinations. Many of the electronic pads come from the factory with an option for you to have multiple codes to unlock.

Now, this is a bit different from the High-end electronic locks. I’ve seen one where you spin the dial to generate enough electricity for you to then rotate the dial to enter the combination. The location of the numbers on the dial changes after each charge spin. Each time you enter a combination, it discharges.

This means that the owner can attempt to unlock it as many times as they need/want. The bad guy can’t use mechanical assistance.


Comments

3 responses to “Malicious Compliance and Subpoenas”

  1. Bad Dancer Avatar
    Bad Dancer

    There are few things as wonderful or joy inducing as artfully enacted malicious compliance.

    Aye on the biometric locks. I remember Steve Lehto doing a video some years back about police using a man’s handcuffed thumb to unlock his phone when he refused to give an officer access.

  2. pkoning Avatar
    pkoning

    Some years ago there was an article in a technical magazine describing how a fingerprint lock (I think it was on a smartphone) could be activated by a picture of the fingerprint, when printed with a suitable type of ink (conductive ink I suspect). Given how big a fingerprint database the feds have, that’s a good reason to stay away from that flavor of biometric lock.

  3. Awa, excellent information, thanks, I have never trusted biometric-electronic locks, and only use the best mechanical locks for anything needing to be secured. I have gone to great lengths to create safety for my valuables.