June 22, 2011

THEY TOLD ME IF I VOTED FOR JOHN MCCAIN, FBI AGENTS WOULD BE SEIZING WEB-SERVERS WHOLESALE: And they were right! “A government official who declined to be named said earlier in the day that the F.B.I. was actively investigating the Lulz Security group and any affiliated hackers. The official said the F.B.I. had teamed up with other agencies in this effort, including the Central Intelligence Agency and cybercrime bureaus in Europe. . . . DigitalOne provided all necessary information to pinpoint the servers for a specific I.P. address, Mr. Ostroumow said. However, the agents took entire server racks, perhaps because they mistakenly thought that ‘one enclosure is = to one server,’ he said in an e-mail.”

UPDATE: Reader Rob Cooper emails:

There could be a fairly technical explanation for taking the whole rack and we could see more of this in the future (something similar happened to Google in an unrelated incident).

In dense server environments, best practices for CPU/processor utilization dictate virtualization on the server environment. In layman’s terms, multiple virtual servers are created inside a physical server. In a cluster of physical servers in a single rack or across several racks, the virtual servers can move around from physical server to physical server to keep the load balanced and maximize cpu efficiencies. As such, it can be difficult to pin down the exact physical piece of hardware that a piece of evidence has “touched”. The only solution is to remove all the servers in the cluster.

Server virtualization has very widespread adoption so most environments it is very likely that the administrators were using it.

Note my signature- we have dedicated practices to support virtualization as well as hosting clients’ data infrastructure. In our cloud (hosted) offerings, we make it a point to keep our clients data virtualized on their own isolated server clusters- no shared CPU/processors as a selling point (though not specifically for Fed seizures J). In the event of something like a evidence subpoena, only the violating cluster would be taken.

Hmm. That’s not consistent with what the story says about server-specific information, but that could be an error, I suppose.