Some of the things they're asking for are beyond absurd. How does someone work at the FBI and not realize that asking Google for a user's SS# or detailed browsing logs not realistic?
Often enough if someone is smart enough to even realize such things they wouldn't be working for the government. And if you deal with the government you start seeing this kind of stupidity quite often. I am sure you'll see in any large bureaucratic structure (private too) it is just the govt is the largest one of all.
IANAL, but I'm assuming Google doesn't have to hand over anything that's not explicitly listed in the warrant. If you're the FBI, you might as well ask for the world and see what you get back.
It's not about being realistic, it's about finding out what sort of information Google retains about its users. Low-profile cases are the best times to test these sorts of fishing expeditions because attention and resistance to teh subpoena will be low. (In contrast, in a high-profile case, the defendant is likely to vigorously oppose any such attempt.)
In other words: The FBI doesn't care if they actually get the information in this case; they want to know if they'll be able to get such information in future, more important cases.
It's a pattern lock, so it must not be using disk encryption (only available on Ice Cream Sandwich with either PIN or password). Is there some reason they can't just open it up and see what's on it?
Text messages are on internal storage, which becomes unmountable when the device is locked.
Depending on the phone, they should be able to get into recovery mode and connect via adb. However, if it has a locked bootloader, they're SOL, and my schaudenfreude is without limit :)
Sorry, I'm not sure I understand - can you explain more? How does the OS making it unmountable when it's locked stop the FBI from physically removing the internal storage and looking at its contents via another device? I can see how it might require specialized forensics equipment depending on how obscure/proprietary the internal storage hardware is, but that seems like something the FBI would have access to or be able to obtain...
I would imagine that busting a pimp isn't exactly high up there on the FBI's list of priorities, at least not high enough to desolder a NAND chip (possibly destroying evidence) and reverse-engineer its raw access protocol. Far simpler to just make Google give them the password.
The article states it's a Samsung phone, almost certainly a Galaxy S variant by market share. All Samsung phones I know honor a pre-bootloader protocol (accessible by a leaked tool named "Odin" or its reverse-engineered open source equivalent "Heimdall"). This can read out the contents of all partitions without ever running a Linux kernel. The mountable filesystems are all readable just fine on the host.
The FBI's forensics people are idiots, basically. They have what they want already, they never needed the PIN code.
Cost-benefit analysis: spend a few hours trying to translate a raw flash dump into a readable format (in addition to the normal forensic work of looking at the phone's drive's contents), or spend <1hr to see whether a pro forma subpoena makes all that work unneccessary?
This isn't a high-priority case, so the FBI will always go with the cheaper, quicker option.
Good grief: "mount -o loop raw_flash_dump /where/ever". I weep for the state of things that straightforward tasks like this seem "hard" not just to yahoos at the FBI but even to Javascript jockeys who frankly should know better.
Going to court harder than spending half an hour to dump the phone? Really?
"Face unlock was even weaker since anyone who had access to your photo could unlock it"
I thought that rumour was debunked by Google engineers within the first hour that it launched?
edit - The quote is "Responding to a Twitter message from someone who say Face Unlock could be hacked [with a picture of the person], Bray said, "Nope. Give us some credit.""
how would they make it photo proof ? I mean any guesses on the algorithm they use.. my dart in the dark would be that a photo would be absolutely still while a real person's face might twitch, shake, bat eyelids etc..
In the interest of adding context, a "Smudge Attack" paper was presented at USENIX 2010 (Aviv et al. 2010), linking it for those interested. I only read security papers as a layman but I did enjoy this one.
I'm okay with the method the FBI is pursuing. They clearly have a case (or enough of a case to take to court), they know exactly what data they need, and they have obtained a warrant for the information. I don't think wiretap laws should come into play on this unless they plan on intercepting communication beyond what is already stored on the phone. The case so far is exactly what the law intended and holds just as relevant today as it did in the 1700s.
Like drivebyacct2 mentioned, though, asking Google for the SSN of a user is kind of odd, and I really hope Google doesn't know that. It's possible the carrier might know, but Google shouldn't unless the suspect was receiving payment from AdWords or Google Checkout/Wallet (do they need SSN for tax reasons at that point?)
Here's my issue: Google could, in theory, provide them access to the device. But that's not what they're asking for. They're asking for usernames, passwords, SSN, etc. By all means, the FBI can submit a warrant to a lock manufacturer to open a lock. They can not, however, tell the lock manufacturer to give them the contents of whatever the lock is protecting. That's a separate warrant.
This is true, and you've just pointed out a big difference from old to new that I had forgotten about.
But what if the safe in the metaphor is owned by someone else and residing on their property, and contains multiple smaller safes inside? That's kind of like cloud-based apps that Android uses heavily. The Feds have enough reason to believe there is relevant information in email, text, and web searches to convince a court of this (difficulty level of convincing a court is debatable).
There also is generally a lot of shit the man pushes out with the knowledge they likely won't be given a response to, and they will accept that. It's a fishing expedition. It's not right, but it's common.
I just assumed that they had search warrants allow this form of discovery for years now. It is funny to thing that an investigator tried one time too many pattern attempts and accidentally erased the phone contents. I'm going to go on record as haha'ing the slip up.
> In it, the FBI asks for a warrant to be served on Google. It wants to know:
> The subscriber's name, address, Social Security number, account login and password
I would hope the FBI is bright enough to know that in all likelyhood Google stores their users passwords in hashed form. How would Google actually be able to comply with this request for the password?
What would happen if they can't comply (they can't)? Would this eventually lead to legislation that forces services to store passwords in plain text or reversible encryption (which is pretty much the same thing)?
Google can give you a new password if you forget yours. There is no technical barrier to giving the FBI access and clearly no requirement for plaintext passwords anywhere (setting aside how the request was expressed in the article as a request for a password).
That's assuming the device is associated with a Google account. It's not a requirement and losing the unlocking password/gesture may leave the phone completely unusable (except for 911 calls). Sadly, I speak from personal experience. I do not believe Google has a way of remotely associating a locked phone with a Google account to regain access.
You sure? I can't use my Android phone (Gingerbread) without a damn Google account - I have to use a throwaway one just to be able to use my smartphone...
They can even generate an application-specific password for the FBI, to be revoked after the time limit specified in the warrant is reached. (No idea if this is done or not, but in theory, there is no need to know the password in order to disclose one to the FBI. All they want to do is unlock the phone, but are too dumb to connect a USB cable and run adb.)
How does this violate the rules? He's already signed a waiver to his 4th amendment rights, so no court order is needed - he's essentially given them full control over his own property, including his phone (which I presume would include accessing the data via adb instead of the phone screen).
Because then the phone is no longer in the original state as when the defendant turned it over, and the FBI cannot prove it did not alter the contents of the phone (as images cannot be made while the phone is locked).
Physically unlocking the phone breaks the rules regarding forensic data retrieval as well, since the state of the phone has now been altered, how is the court to know that the FBI didn't plant the details.
This is why backup images are made first, which is not possible with phones when they are locked... the backup images are operated on when doing digital forensics, so that the result can be reproducible by a third party.
My initial thought was the same as the GP's then I read your statement. Then I thought about it for a moment.
I wonder. This is a subpoena, right? If so, it's not an order for Google to alter anything, just to give the FBI certain information that they have. It may very well be that Google cannot comply with the specific order as granted, but without the text of the order I can't be sure.
There is a difference between "Give us this user's password" and "Reset this user's password and provide the credentials to us."
The FBI apparently cares if they specifically asked for the users password. The article was specifically listing the users password amongst the items that were requested by the FBI, so my comment was about the password too.
Most of the other data they were requesting can easily be produced by Google - sure. I'm not denying that at all. I'm just saying that the (original, as set by the user in question) password is probably not retrievable and I'm also saying that the FBI should know that.
Ah I just figured something out. So some people here are calling FBI's stupidity for mucking with the phone, as in trying patterns that eventually locked the device. In other words if phones are known to lock they shouldn't just randomly try patterns on it.
But I believe the attempts were not random. They probably did what you suggested, inspects trace of the fingertip grease and discovered a much more constrained set of possible possible patterns.
So they basically got an un-directed graph and now they thought they could figure out the most likely directed path in the graph that would unlock the phone.
Somebody probably made an educated (but eventually bad) guess about what the unlock path would be.
Soghoian wonders about the legality of accessing a still-operational cell phone. ... But a US Magistrate Judge disagreed.
As a side note, I really dislike this style of reporting. I doubt the judge disagreed with Soghoian if Soghoian published his blog post after the judge published his opinion. The article makes it sound like a stupid judge made the wrong decision by not reading some expert opinion that was available to him. If the judge disagreed with anybody, it was defense counsel. But the article doesn't mention any objection by the defense. Perhaps, because as a lawyer, he is in a better position to know what's legal and what's not?
I noticed that too and agree entirely. There is absolutely nothing in the article that suggests this argument was actually made and rejected. At the end of the day, judges are people too and can't possibly have the entirety of all case law in their minds at all times. It is up to defense attorneys to research the case and bring up relevant arguments. I just can't see anything in the article that even suggests that the idea of a wiretap warrant being more appropriate was even discussed.
If he was still running his network of pimps I suppose that would count as racketeering. Either that, or the FBI was after someone else and got the goods on him as a bonus.
the implications at the end are really lame. "the phone may have received sms after the judge issued the order"
like that would be held in court for anything? let's thing analogically: would a mob king be freed if a judge authorized a safe with evidence to be opened on the 4th but it was only opened on the 7th, and new evidence was put into the safe by other agents on the 6th?
its still open, and works on my droid, but considering that there are so many handsets that are not updated, im sure this one would still work on most phones. I haven't looked through the code to pinpoint it.
The FBI Forensics Lab mis-entered the pattern lock too many times? The FBI uses the same tactic as my little brother to get into peoples phones? At a forensics lab? And the stuff they want from google kind of blows my mind. "The times and duration of every webpage visited"... As far is I can see that's completely undeliverable by anyone but possibly the carrier. Who do they have working down there?
This is also super interesting: "His parole conditions prevented him from doing anything to hide or lock digital files."
So if convicted of a crime they can require you to not use basic personal and identity safety measures.
Completely agree with you. How amateurish! Lock pattern is saved on the device, not in the cloud. I am not a hacker myself but FBI not having one that downloads entire OS out of it and either cracks the pattern or disable "wait X seconds to retry" and run a cracking app on it makes me wonder. Especially this is not some rocket science we talking about -- his lock pattern most likely is max 5 pins.
I cannot speak for the FBI as I know little about them. But I have worked closely its equivalent in my country (Brazil). And one notorious fact that I learned is that the technical expertise of these guys is way behind what the public expects of them. People expect federal police and government investigation to be up to date with the newest technologies and hacker practices. They picture hollywoodian CIA command centrals with magical hackers that can do anything they want by typing a few matrix-like code on a command shell.
But in reality, technical government agents have very little incentive to do their job well done. They just wanna get over it and go back home. As a result you have highly untrained personnel, who doesn't keep up with latest technology and will do the bare minimum to just not get fired. Their methods are always amateurish and easy to avoid if you're actually trying.
I'd imagine the US is a bit better than my country in this regard. But I'd doubt that by much. I'm still sure that their technical skills are light years behind what the public perception is.
Not even the network carrier should be able to tell the duration of a web page visit. Only the browser (or tracking javascript) could record this, but that's still dubious. I've had some browser tabs open on my phone for months... but that doesn't mean I've been constantly looking at them for months. I doubt Android keeps a big database of every page you visit and how long it takes you to close the page or navigate away. I guess Google Analytics might have some of that data, but only for sites that use GA.
> So if convicted of a crime they can require you to not use basic personal and identity safety measures.
Not really a new concept, it's fairly similar to banning a paedophile from going near schools, banning someone on parole from leaving the country (or state), or enforcing a curfew, etc. Similar in that it's restricting what would normally be anybody's right.
I know that is not a new concept, but it seems troubling because of its scope. It would be like saying "You may not shred credit card statements."
But more to the point, so man computers now expect password-protection. I don't see how this amounts to something other than a ban on general computing and for reasons that are not distinctly related to the offence.
You must have already have root but since they mentioned it's a Samsung phone then all you do is find a CWM/Rooted kernel tar and flash via Odin then do the steps below.
77 comments
[ 2.7 ms ] story [ 157 ms ] threadIn other words: The FBI doesn't care if they actually get the information in this case; they want to know if they'll be able to get such information in future, more important cases.
Depending on the phone, they should be able to get into recovery mode and connect via adb. However, if it has a locked bootloader, they're SOL, and my schaudenfreude is without limit :)
Surely anything they gather from the phone now will be useless in court?
The FBI's forensics people are idiots, basically. They have what they want already, they never needed the PIN code.
This isn't a high-priority case, so the FBI will always go with the cheaper, quicker option.
Going to court harder than spending half an hour to dump the phone? Really?
Face unlock was even weaker since anyone who had access to your photo could unlock it.
I thought that rumour was debunked by Google engineers within the first hour that it launched?
edit - The quote is "Responding to a Twitter message from someone who say Face Unlock could be hacked [with a picture of the person], Bray said, "Nope. Give us some credit.""
Paper link:
http://static.usenix.org/event/woot10/tech/full_papers/Aviv....
(http://paranoia.dubfire.net/2012/03/fbi-seeks-warrant-to-for...)
PDF of the application.
(http://www.archive.org/download/gov.uscourts.casd.378626/gov...)
Like drivebyacct2 mentioned, though, asking Google for the SSN of a user is kind of odd, and I really hope Google doesn't know that. It's possible the carrier might know, but Google shouldn't unless the suspect was receiving payment from AdWords or Google Checkout/Wallet (do they need SSN for tax reasons at that point?)
But what if the safe in the metaphor is owned by someone else and residing on their property, and contains multiple smaller safes inside? That's kind of like cloud-based apps that Android uses heavily. The Feds have enough reason to believe there is relevant information in email, text, and web searches to convince a court of this (difficulty level of convincing a court is debatable).
There also is generally a lot of shit the man pushes out with the knowledge they likely won't be given a response to, and they will accept that. It's a fishing expedition. It's not right, but it's common.
> In it, the FBI asks for a warrant to be served on Google. It wants to know:
> The subscriber's name, address, Social Security number, account login and password
I would hope the FBI is bright enough to know that in all likelyhood Google stores their users passwords in hashed form. How would Google actually be able to comply with this request for the password?
What would happen if they can't comply (they can't)? Would this eventually lead to legislation that forces services to store passwords in plain text or reversible encryption (which is pretty much the same thing)?
Or that would break the rules regarding forensic data retrieval, and make the information gleaned in that fashion inadmissible as evidence.
This is why backup images are made first, which is not possible with phones when they are locked... the backup images are operated on when doing digital forensics, so that the result can be reproducible by a third party.
I wonder. This is a subpoena, right? If so, it's not an order for Google to alter anything, just to give the FBI certain information that they have. It may very well be that Google cannot comply with the specific order as granted, but without the text of the order I can't be sure.
There is a difference between "Give us this user's password" and "Reset this user's password and provide the credentials to us."
Most of the other data they were requesting can easily be produced by Google - sure. I'm not denying that at all. I'm just saying that the (original, as set by the user in question) password is probably not retrievable and I'm also saying that the FBI should know that.
It may be the FBI intends to try the password elsewhere. Lots of people use the same password across multiple accounts of various different types.
Or maybe they intend to submit it as evidence if it's something like "masterpimp"
But I believe the attempts were not random. They probably did what you suggested, inspects trace of the fingertip grease and discovered a much more constrained set of possible possible patterns.
So they basically got an un-directed graph and now they thought they could figure out the most likely directed path in the graph that would unlock the phone.
Somebody probably made an educated (but eventually bad) guess about what the unlock path would be.
As a side note, I really dislike this style of reporting. I doubt the judge disagreed with Soghoian if Soghoian published his blog post after the judge published his opinion. The article makes it sound like a stupid judge made the wrong decision by not reading some expert opinion that was available to him. If the judge disagreed with anybody, it was defense counsel. But the article doesn't mention any objection by the defense. Perhaps, because as a lawyer, he is in a better position to know what's legal and what's not?
like that would be held in court for anything? let's thing analogically: would a mob king be freed if a judge authorized a safe with evidence to be opened on the 4th but it was only opened on the 7th, and new evidence was put into the safe by other agents on the 6th?
Do you know where in the source this is?
This is also super interesting: "His parole conditions prevented him from doing anything to hide or lock digital files."
So if convicted of a crime they can require you to not use basic personal and identity safety measures.
But in reality, technical government agents have very little incentive to do their job well done. They just wanna get over it and go back home. As a result you have highly untrained personnel, who doesn't keep up with latest technology and will do the bare minimum to just not get fired. Their methods are always amateurish and easy to avoid if you're actually trying.
I'd imagine the US is a bit better than my country in this regard. But I'd doubt that by much. I'm still sure that their technical skills are light years behind what the public perception is.
And thank God, or we would be even more deeply fucked.
Not really a new concept, it's fairly similar to banning a paedophile from going near schools, banning someone on parole from leaving the country (or state), or enforcing a curfew, etc. Similar in that it's restricting what would normally be anybody's right.
But more to the point, so man computers now expect password-protection. I don't see how this amounts to something other than a ban on general computing and for reasons that are not distinctly related to the offence.
You must have already have root but since they mentioned it's a Samsung phone then all you do is find a CWM/Rooted kernel tar and flash via Odin then do the steps below.
adb -d shell
sqlite3 data/data/com.android.providers.settings/databases/settings.db
sqlite> update system set value=0 where name='lock_pattern_autolock'; sqlite> .exit
exit
Reboot from there and the lockscreen is bypassed.
Remember kids, use this for good and not evil muahahhahaahhaah