Understanding RULE 41 - The Practicalities

[Kepler_452b 77]

I would like to start this thread to try to understand the practical implications of Rule 41 for vpn users and service providers.

 

- As I understand it, Rule 41  requires two things:

   1) anything that could be considered criminal activity (something as simple as sharing a copyrighted photo, or anything that exceeds the vague boundaries of Fair Use), and 

   2) using any vpn technology (TOR, Openvpn, Airvpn, etc.) while doing so.

 

- if the FBI or other three letter organizations (TLOs) believes such activity is happening they can obtain a simple blanket court order to install spyware on a suspect's computer or phone to record the activity and reveal the user's identity (and who knows what else). This applies not just to US citizens but to anyone worldwide (stunningly draconian overreach). It's not clear to me how broad this blanket can be, or whether the TLO needs probable cause.

 

This brings up so many questions it's hard to know where to begin:

 

- What technical options do TLOs have for installing spyware? How easy is it for them to do this?

- How can vpn users protect themselves from having spyware installed on their computers?

- How will this affect Airvpn's service?

- Will it be more risky to use US located servers?

 

I hope people who respond to this thread will differentiate between speculation (which can be useful)  and established fact so that we can arrive at a clear understanding of how Rule 41 will affect vpn users and service providers.

 

Also I think it would be very helpful if Airvpn staff either contribute here, or put out a statement that answers questions around Rule 41 and provides specific help.

 

P.S. Links to succinct factual sources would be especially helpful.

[Staff 9762]

- if the FBI or other three letter organizations (TLOs) believes such activity is happening they can obtain a simple blanket court order to install spyware on a suspect's computer or phone to record the activity and reveal the user's identity (and who knows what else). This applies not just to US citizens but to anyone worldwide (stunningly draconian overreach). It's not clear to me how broad this blanket can be, or whether the TLO needs probable cause.

 

Hello!

 

Let's go from theory to practice, to see how applicable and not applicable is this law.

 

So let's assume that an activity of a Netherlands server is allegedly infringing US laws. How do the investigators determine the identity of the computer who committed the alleged crime, to install spyware on it?

 

They don't know anything about this user, just that he/she is somewhere on Earth. They could try to get a court order to install spyware on that server, or they could try to find out the computer of the owner of the datacenter or of the Air owner to install a spyware on them.

 

Very hard, if not impossible, to obtain a court order authorizing that, but anyway even if they did, and even if they could successfully manage to infect the computer of the dc owner, the VPN server and the computer of Air owner, how could that help the investigation? How could that retrieve any information usable in a court for the original case?

 

Kind regards

[Kepler_452b 77]

Thank you for responding staff. Rule 41 has created a lot of FUD around using vpn. It may be that though the FBI, for example. now has the legal right to hack devices which use vpn, that they only have limited capability to do that. Yet they claim to have done that in a case involving a child porn site. The fact that they now have blanket legal authorization to hack vpn users is distressing. I know that I feel less secure now using vpn because Rule 41 specifically targets vpn users, I just don't know what level of insecurity is justified. So I think there are at least two questions that need to be answered as well as possible.

 

Q1) what are their real capabilities to identify and hack vpn users?

Q2) to what extent will they try to enforce or crack down on vpn users.

 

People can speculate about Q2, but probably it will be months or years before the answer becomes clear.

 

It would be really helpful if people in the hacktivist community could try to answer Q1.

 

I feel a lot of confusion now about this issue and I'm imagine others do to. So I'm hoping people with some deeper technical savvy can provide some detail and perspective on the safety of using vpn.

 

It would seem that if a TLO could hack a vpn server, they could identify the content a vpn user's traffic. So it would seem that vpn providers like Air will have to be more vigilant about identifying potential attack vectors and actual hacks on their servers, and preventing such hacks.

 

 

 

NB: its clear that a coordinated crack down is being engineered against file sharing. Its not clear that the engineers will ultimately be successful in stopping file sharing. But the ability to easily hack vpn users (if that exists now or soon) would make it much easier to eliminate file sharing. 

[OmniNegro 155]

Hacking a non-Windows system is not so simple unless you have direct physical access.

 

If anyone reading this uses Windows and does anything you do not want to be revealed by whatever these crazy groups are planning, move over to Linux or even better, Unix and you can largely disregard the threat unless you are dumb enough to run any old file that is sent to you via e-mail.

 

1. Hacking VPN users... The users are the weakness. OpenVPN is a very solid program designed to resist attacks. Strengthen yourself and your system and the threat ceases to exist for the most part.

2. How far does crazy go to "crack down" on people using VPNs? Look at paypal. (Intentionally uncapitalized.) They refuse to work with any VPN or users of a VPN. But in general, look to my answer to question one again.

 

I will not pretend that VPNs cannot be attacked, but almost all "successful" attacks only manage to bring the VPN server to an unworking state. They do not and cannot replace your OS or anything along those lines without either an exploit in your system already, or direct physical access.

 

So relax a bit. Harden your system if you want to reduce your risk. A little bit goes a long way.

[Kepler_452b 77]

Thanks for your response Omninegro.  But my discomfort is not relieved. The FBI delivered malware to over 1,000 computers which were accessing the "Playpen" site via TOR. Here is an EFF article about that:

 

"https://www.eff.org/deeplinks/2016/08/illegal-playpen-story-rule-41-and-global-hacking-warrants"

 

How did they manage to do that? Does anyone know the technical details on this event?

[Kepler_452b 77]

One of the advantages of posting and discussion is that it encourages investigation. So I found the answer to my question above. The FBI determined the ip address of the Playpen site because it was misconfigured. They then seized the servers in the US and fed malware to the clients by way of an exploit on the Firefox version used by the TOR Browser Bundle. More than 1000 computers were hacked and searched. That exploit has since been closed. Here's the EFF article on this from September:

 

"https://www.eff.org/deeplinks/2016/09/playpen-story-fbis-unprecedented-and-illegal-hacking-operation"

 

This is an excellent article which also links to related issues. Here's two short excerpts:

 

"But make no mistake: these cases are laying the foundation for the future expansion of law enforcement hacking in criminal investigations, and the precedent these cases create is likely to impact the digital privacy rights of Internet users for years to come. In a series of blog posts in the coming days and weeks, we'll explain what the legal issues are and why these cases matter to Internet users the world over."

 

"Some courts have upheld the FBI’s actions in dangerous decisions that, if ultimately upheld, threaten to undermine individuals’ constitutional privacy protections in personal computers."

 

Note that this article was published just before Rule 41 was amended to allow blanket hacking worldwide and warns of the consequences if the Rule 41 amendment passed.