[HN Gopher] PyPI Was Subpoenaed
___________________________________________________________________
PyPI Was Subpoenaed
Author : quercusa
Score : 661 points
Date : 2023-05-24 17:28 UTC (5 hours ago)
(HTM) web link (blog.pypi.org)
(TXT) w3m dump (blog.pypi.org)
| kjkjadksj wrote:
| I don't understand how the information requested is relevant at
| all for any purpose. Most users of pypi merely download through
| pip; they arent registering anything. Furthermore, I would think
| a bad actor who would register would spoof their ip and use
| burner accounts anyhow.
| caturopath wrote:
| > Most users of pypi
|
| Presumably the 5 users in question were interesting in some
| way, not just random.
|
| > I would think a bad actor who would register would spoof
| their ip and use burner accounts anyhow
|
| Maybe, but they could find that out with the information. If
| there's a 10% chance each was sloppy or un-paranoid, there's a
| 40% chance they get at least one piece of real info.
|
| The person might not have thought they were doing anything
| wrong. Some judge might have greenlit this for a piracy case
| against the five maintainaers of youtube_dl{c} or something
| silly.
| buildbot wrote:
| Correlating IP address use to something else happening at the
| same time? Like a malware author being incredibly dumb and
| using their home IP to upload PyPy packages, while IDK, using
| that same IP as a C&C server endpoint.
| shadowgovt wrote:
| They may not even need to have slipped up and direct-
| connected via their home IP. The FBI has sufficiently
| compromised subsets of Tor in the past to do correlative
| attacks on specific targets.
| scrum-treats wrote:
| It would be great to see this for VS Code extensions as well.
| aa_is_op wrote:
| By the number of malicious packages that site has hosted over the
| past few months, this was only a matter of time.
|
| I've lost track of the number of "white hats" that contact us
| with extortion requests after they used some dependency confusion
| attack.
| Mystery-Machine wrote:
| Why is it an extortion request and "white hats" if they have
| successfully found a security issue in your project and
| reported it to you, without actually exploiting it? Would you
| rather them not report it to you or even worse, exploit it?
| JadeNB wrote:
| > Why is it an extortion request and "white hats" if they
| have successfully found a security issue in your project and
| reported it to you, without actually exploiting it?
|
| Presumably because there is some demand for compensation
| before disclosure?
| dahwolf wrote:
| Pay me or I will harm you is extortion, as simple as that.
|
| There's an entire industry now of people that check known
| vulnerabilities (so they don't invent anything themselves) in
| software/packages and cross check this against outdated
| websites, at a very large scale.
|
| They have no morals or security ethics, they barely even have
| knowledge, they just want to make money with the least amount
| of effort possible.
|
| Don't ever pay them a cent. They're just as ruthless as
| spammers.
| autoexec wrote:
| If several groups of people who "barely even have
| knowledge" can profit from checking for well known
| vulnerabilities on websites and reporting them I say more
| power to them.
|
| If there is an entire industry of people doing low effort
| work which then discovers vulnerabilities on a company's
| website that company should pay them, and probably fire
| some people they've already been paying for not putting in
| even that much effort to secure their own stuff.
|
| Who is less ethical? The people reporting vulnerabilities
| and wanting to be paid for it or the companies who don't
| bother to invest in even basic security practices putting
| people's data at risk and allowing scammers and hackers to
| leverage those insecure systems to hurt others?
| dahwolf wrote:
| The word "companies" is doing a lot of work in your rant.
|
| The vast majority of websites on the internet do not have
| a team behind them. That's exactly the reason why they
| lack maintenance.
|
| So they're not intimidating well-funded companies,
| they're intimidating that nice guy that in 2003 build a
| website for the local bridge club. Volunteering his time
| and money to do so.
| cjsawyer wrote:
| Sounds like they're the ones who implemented the bad code in
| the first place, as a honeypot. That just extortion with
| extra steps.
| passion__desire wrote:
| Why can't PyPI safeguard popular packages by making sure that
| new packages are few (4 or 5) edit-distance away to make sure
| popular ones don't get intermixed with malicious packages. Is
| that difficult to implement?
| rocqua wrote:
| pip-env, pipe, pipes, sip, siv, lipo, etc Are all within an
| edit distance of 4 from pip, and would all be blocked.
|
| Besides 'dependecy confusion' is not typo-squatting at all.
| It is about having a public package that masks the name of a
| private package repo. The default behavior of pip is to then
| use the public repo, which can let outsiders who know
| internal package names totally take over those internal
| packages.
| accrual wrote:
| Is it still "white hat" if money or a transaction is involved?
| My understanding is it's either black hat, the exploit is sold
| for money. Red team, you paid to be exploited for your own
| benefit. Or white hat, an exploit was found and it's
| communicated to limit black hat and red team. White hat + money
| would just be gray hat or blackmail.
| rocqua wrote:
| White hats can still get bug-bounties. Though if a company
| hasn't published such a bounty and a hat 'extorts' the bounty
| by demanding payment or else they will publish, that hat has
| a tint of grey.
| hajimuz wrote:
| Dude I thought it's Chinese Gov. Hey, America!!!
| rendx wrote:
| Way too much unnecessary data collected and stored as usual. But
| one of the best transparency reports ever. Thanks PyPI!
| tomjen3 wrote:
| >We will not be releasing the usernames involved publicly or to
| the users themselves.
|
| They point out that they are not subject to a gag order.
| buildbot wrote:
| Yeah this is interesting, because they could in absence of the
| gag order but choose not too. Unless it's not a gag order but a
| specific don't tell these users anything?
| stjohnswarts wrote:
| I doubt any investigators worth their salt would let the
| people they're investigating know that they are investigating
| them before they're ready to charge them.
| svaha1728 wrote:
| If it takes subpoenas to get package management fixed in Python
| so be it. Can the Rust Crates.io team take over Python management
| as well?
| firstlink wrote:
| > associated with the subpoenas received in March and April 2023.
|
| Oddly specific wording there. It would seem they have received
| additional subpoenas outside that timeframe which do have gag
| orders, and someone slipped up and failed to put the gag orders
| in these particular subpoenas.
|
| Seems like the DOJ may be doing some long-term fishing for, what,
| software developers? First the DOJ came for the conservatives,
| and I said, "go get 'em!" because I wasn't a conservative; next
| the DOJ came for ____?
| burnished wrote:
| Step one: have position and power as part of a dominant group
|
| Step two: style yourself as an oppressed minority
|
| Step three: defend any action, decision, or position as a
| persecuted martyr
| bratbag wrote:
| It's interesting how you manage to leap from what is probably a
| supply chain attack investigation straight into a pErSeCuTeD
| CoNsErVaTeS conspiracy.
| metiscus wrote:
| Across the ages, government has applied a disproportionate
| level of scrutiny to groups and people perceived as dissidents,
| minorities, and anyone else who could potentially be conceived
| as a threat to institutional power regardless of the magnitude
| of the threat or if that threat is true or false. Historically
| this is a bipartisan issue, for decades the FBI vigorously
| attacked anti-war groups, black civil rights groups, and
| various left wing groups via COINTELPRO. I guess to summarize,
| the way I think of it is that the government is coming for
| anyone they see as a potential threat and it doesn't matter
| what the politics of that group are.
| wongarsu wrote:
| > We have waited for the string of subpoenas to subside, though
| we were committed from the beginning to write and publish this
| post as a matter of transparency, and as allowed by the lack of a
| non-disclosure order associated with the subpoenas received in
| March and April 2023.
|
| That's suspiciously specific. Sounds to me like they also
| received some other subpoenas they aren't allowed to talk about.
| VWWHFSfQ wrote:
| I think it just sounds like the three subpoenas they received
| wongarsu wrote:
| I'm not sure I'd call three subpoenas "a string of subpoenas"
| even if it's technically correct. But I'm more talking about
| specifically mentioning that the subpoenas from March and
| April 2023 don't have a gag order. Why mention those months
| specifically if in the other months they didn't receive any?
| The natural thing would have been to end the sentence six
| words earlier.
| dragonwriter wrote:
| > I'm not sure I'd call three subpoenas "a string of
| subpoenas" even if it's technically correct
|
| I would if the sequence was such that the receipt of
| eachbof thr subsequebt ones delayed writeup of the overall
| incident in the interest of completeness or because there
| was some relationship between them
|
| > the subpoenas from March and April 2023 don't have a gag
| order. Why mention those months specifically if in the
| other months they didn't receive any?
|
| Because you are doing an aggregate writeup of a series of
| events and you want to convey when they occurred and why
| you are able to do a detailed writeup.
| florbo wrote:
| It sounds more like they're addressing the inevitable "why
| didn't you post as soon as it happened" party.
| Eisenstein wrote:
| It is perfectly clear that you are correct because trying
| to tell anyone about confidential subpoenas could be
| illegal.
| hunter2_ wrote:
| When it requires so much "reading between the lines" that
| even this community doesn't have a strong consensus on
| whether this is being (illegally) communicated or not, I
| think it's plausibly deniable, but IANAL. Contrast with
| well-known canaries.
| dragonwriter wrote:
| > That's suspiciously specific. Sounds to me like they also
| received some other subpoenas they aren't allowed to talk
| about.
|
| It could be, it could also be that they were trying to
| communicate both the timing of the subpoena string and why they
| are able to talk about it, and there aren't any others.
| samanator wrote:
| Yep, I was thinking the same thing. What a beautiful way of
| communicating that.
| tapoxi wrote:
| Sounds like they got a National Security Letter.
| bredren wrote:
| Does not need to be an NSL to have a non-disclosure
| attached. Could be a relatively minor (not very spooky)
| federal investigation.
| ajsnigrutin wrote:
| How does that work with in combination of freedom of
| speech? Is it one of those cases, where someone has to be
| brave/foolish enough to disobey and take it to the
| supreme court?
| mike_d wrote:
| > How does that work with in combination of freedom of
| speech?
|
| The government is not preventing you from expressing your
| free thoughts and opinions. They are compelling you to
| not disclose the details of something you had no
| knowledge of before they asked you about it.
|
| Nothing is stopping you from writing a blog post about
| how it is unfair to seek records of a potential criminal,
| but you cannot write about how it is unfair to seek the
| records of Bob Jones when you had no other reason to
| believe Bob was anything but a regular user.
| itronitron wrote:
| But you could post a unique blog post such as that about
| every one of your users.
| mywittyname wrote:
| A judge signed off on it. Which means that the State made
| a case for the subpoena to include a non-disclosure.
| autoexec wrote:
| I'm going to go ahead and guess "signed off on" was more
| like "rubber stamped"
| tracker1 wrote:
| Most likely... but the party who was served the order can
| file for appeal if they are willing to go that route.
| That said, it doesn't mean any such appeal with favor the
| party served the gag order.
| amethyst wrote:
| > I have not received a National Security Letter.
|
| source: https://durbin.ee/ as of Wed, May 24 at 1:45 PM PDT
| Loquebantur wrote:
| What a weird way to think about such events.
|
| Such subpoenas are clandestine surveillance of citizens by
| their state. The problem with such types of surveillance in
| particular is the lack of accountability.
|
| How does the ethical use of this prolematic tool get
| ascertained? Where and how is the democratic oversight
| implemented? How is misuse treated and prevented?
| whitemary wrote:
| > _Where and how is the democratic oversight implemented?_
|
| What democratic oversight? This is the United States we're
| talking about lol.
| blibble wrote:
| as a foreigner (in terms of the US), I've never understood
| how these gag orders are compatible with the First
| Amendment
|
| often there's posts on HN about how the UK and all other
| Western European countries are totalitarian because they
| don't have unrestricted free speech
|
| but then apparently the police (FBI) can restrict the free
| speech of Americans without any court involvement at all?
|
| I really don't understand
| xupybd wrote:
| I don't like these gag orders but I can see times when
| they are needed. Each person has a right to a fair trial.
| So the courts sometimes have to suppress information from
| the public to avoid potential jurors seeing information
| about the case. They must only judge guilt based on what
| they hear in court not in the media.
| yrnameer wrote:
| There are plenty of laws that aren't compatible with our
| constitution. Judges will laugh a lawyer out of the
| courtroom who uses constitutional arguments, and your
| case will go nowhere.
| [deleted]
| komon wrote:
| Well, due process is a right co-equal to free speech, so
| which rights override which others in which circumstances
| will come down to legal precedent.
|
| My understanding is that the FBI or other non-judicial
| body cannot unilaterally issue a gag order. Subpoenas and
| gag orders related to them are granted by judges.
|
| (Which isn't to say that the relationship between the
| judicial branch and law enforcement bodies is always pure
| and equal)
| patrick451 wrote:
| They aren't compatible with the first amendment. But at
| this point, those rights are a joke and and all three
| branches of our government regard the constitution as
| toilet paper.
| jakeinspace wrote:
| Gag orders do require a court, just not a jury or an open
| hearing. I agree that they should be unconstitutional.
| [deleted]
| make3 wrote:
| the fbi is overseen by elected officials, and by laws
| that were voted for it. it's not perfect but that still
| makes a huge difference.
| bboygravity wrote:
| That explains the whole Trump Russia ties investigation
| by the FBI I guess?
|
| Doesn't seem to healthy for any nation that is supposedly
| democratic?
| Loquebantur wrote:
| Look at this thread.
|
| People engage in childish fantasies featuring themselves
| in imaginary subversive behavior.
|
| It's unresolvable cognitive dissonance leading to
| repressing and reinterpreting the cause.
| wolverine876 wrote:
| Civil rights, including those in the First Amendment, are
| not absolute. Regarding speech, you also can't harass
| people, threaten them, defraud them, incite violence,
| distribute copyrighted information that isn't yours,
| interfere with others' activities (sing loudly in a movie
| theater), etc. Private entities such as your employer can
| restrict your speech in many ways.
|
| > often there's posts on HN about how the UK and all
| other Western European countries are totalitarian because
| they don't have unrestricted free speech
|
| I haven't seen these posts. Do you have an example handy?
| blibble wrote:
| > I haven't seen these posts. Do you have an example
| handy?
|
| here's one from earlier in the week:
| https://news.ycombinator.com/item?id=36000459
|
| they're pretty common, here's another one:
| https://news.ycombinator.com/item?id=35617773
| weinzierl wrote:
| Then following up on blibble's question: What _is_ the
| difference to the UK and other western countries that
| mostly also have free speech with what looks to me very
| similar restrictions?
|
| Honest question, like blibble, I don't really understand
| it either?
| damiankennedy wrote:
| In New Zealand where we don't have a specific
| constitution or amendments we have a set a laws that end
| up in the same place. An example is libel, which both
| countries have laws against. In NZ such laws are debated
| in parliament and voted on just as in the US. However in
| the US there was an additional objection based on it
| violating the first amendment but then the law was made
| anyway so it seems politicians in the US can make laws
| that override amendments in specific situations. The US
| also has their Supreme Court which seems to play a far
| more active role than NZ's and also more powerful in that
| it can creates precedents in the interpretation of laws
| for example allowing students to wear items of symbolic
| protest in school.
| all2 wrote:
| The US's first amendment is rather unique amongst Western
| nations. Basically it says "the government cannot
| infringe on this inalienable right", that is the
| government cannot govern speech. Here's the actual
| language Congress shall make no law
| respecting an establishment of religion, or prohibiting
| the free exercise thereof; or abridging the freedom of
| speech, or of the press; or the right of the people
| peaceably to assemble, and to petition the Government for
| a redress of grievances.
|
| The key phrase "or abridging the freedom of speech, or of
| the press".
|
| As far as I know, this kind of language is absent from
| other Western nations. For example, Canada jails people
| for criticizing those of Islamic persuasion. [0] Note,
| the article doesn't record what the accused actually
| said. Here's a wikipedia overview of hate speech laws by
| country [1], though it is wikipedia, so take it with a
| grain of salt. Here's a somewhat relevant piece from
| _Reason_ that takes an anti-hate-speech stance [2] where
| the author details the unconstitutionality of hate speech
| laws.
|
| "Free speech" as we understand it in the US is unique in
| the world.
|
| As far as the restrictions at state and federal level,
| these are considered unconstitutional, and you'll see a
| large number of them struck down in various courts across
| the country. Those in power definitely seek to expand
| their powers and fortunately we have a law that allows
| the citizenry to push back against that.
|
| [0] https://www.cbc.ca/news/canada/hamilton/muslim-
| hate-1.614516...
|
| [1]
| https://en.wikipedia.org/wiki/Hate_speech_laws_by_country
|
| [2] https://reason.com/2021/05/20/teen-arrested-under-
| connecticu...
| nceqs3 wrote:
| You seem to be misunderstanding the First Amendment.
| CSMA, classified information, defamation, copyright, etc.
| are all not permitted under the first amendment. Not to
| mention that gag orders are approved by a court and can
| be appealed.
| blibble wrote:
| > Congress shall make no law respecting an establishment
| of religion, or prohibiting the free exercise thereof; or
| abridging the freedom of speech, or of the press; or the
| right of the people peaceably to assemble, and to
| petition the Government for a redress of grievances.
|
| seems pretty clear to me, at least for gag orders
|
| less so for the other stuff you mentioned (could you
| argue pirated Disney movies are speech? probably not)
| dragontamer wrote:
| And the writers of the 1st Amendment went on to pass the
| Sedition act of 1798.
|
| > That if any person shall write, print, utter. Or
| publish, or shall cause or procure to be written,
| printed, uttered or published, or shall knowingly and
| willingly assist or aid in writing, printing, uttering or
| publishing any false, scandalous and malicious writing or
| writings against the government of the United States, or
| either house of the Congress of the United States, or the
| President of the United States, with intent to defame the
| said government, or either house of the said Congress, or
| the said President, or to bring them. or either of them,
| into contempt or disrepute; or to excite against them, or
| either or any of them, the hatred of the good people of
| the United States, or to excite any unlawful combinations
| therein, for opposing or resisting any law of the United
| States, or any act of the President of the United States,
| done in pursuance of any such law, or of the powers in
| him vested by the constitution of the United States, or
| to resist, oppose, or defeat any such law or act, or to
| aid, encourage or abet any hostile designs of any foreign
| nation against the United States, their people or
| government, then such person, being thereof convicted
| before any court of the United States having jurisdiction
| thereof, shall be punished by a fine not exceeding two
| thousand dollars, and by imprisonment not exceeding two
| years.
|
| Welcome to America. Our laws contradict each other and
| its all about politics. The Supreme Court figures out
| where the line is drawn and what is, or isn't, legal
| according to the Constitution.
|
| With regards to 1st Amendment, the limit is drawn today
| at Libel, Slander, "Fire in a Crowded Theater",
| pornography, and many other restrictions upon "free
| speech". Gag orders included.
| blibble wrote:
| surely that Act is by definition unlawful?
|
| I still don't really understand
|
| in the UK: Parliament has unlimited power and people talk
| quite a bit about formal constitutions being a good model
| to be followed
|
| it seems a bit sad the attempt to protect the population
| against government using a formal constitution doesn't
| seem to work in reality (even when the wording is as
| clear as day)
| dragontamer wrote:
| > surely that Act is by definition unlawful?
|
| Whose definition?
|
| Answer: The Supreme Court decides the definition of
| things. Its only unconstitutional if the Supreme Court
| says so.
|
| That's how the USA can get away with... I dunno... the
| Office of Censorship in 1941.
| (https://en.wikipedia.org/wiki/Office_of_Censorship).
| Definitions change, not only due to different members on
| the Supreme Court, but also due to different
| circumstances (WW2 meant that the Supreme Court was
| willing to ignore the obvious incursion into the 1st
| Amendment, at least temporarily)
|
| EDIT: I always forget that it was actually the Office of
| War Information that did the Hollywood Censorship thing (
| https://en.wikipedia.org/wiki/United_States_Office_of_War
| _In...), rather than the Office of Censorship.
| blibble wrote:
| > Whose definition?
|
| I guess that's the underlying problem
|
| I'm not sure how you fix it really, though not having
| direct political appointees as top judges might be a good
| start
|
| (maybe put an LLM in charge of a supreme court? I kid, I
| kid)
| dragonwriter wrote:
| > With regards to 1st Amendment, the limit is drawn today
| at [...] "Fire in a Crowded Theater"
|
| No, and it never was. That was an _obiter dictum_ that
| didn't accurately reflect the state of the law in the
| decision in which it appeared, and the actual holding in
| that case itself (now regarded as an intense intrusion on
| core political speech) is no longer operative.
|
| It's a catchy turn of phrase that gets stuck in the mind,
| but it was also an rhetorical device neither in a
| decision that has since been substantively overruled, not
| an actual example of an existing limit on free speech.
| dragontamer wrote:
| Well, if that particular phrase is poisoned, I guess I
| could just say "Hobbit" instead, which is owned as a
| trademark IIRC by the Tolkien estate and they're very
| litigious about it.
|
| You can't say "Hobbit" in your own stories. But you can
| say "Halfling", and that's how people tend to get around
| that problem. Blonde Thor is Disney/Marvel (Historical
| Thor was a redhead IIRC, so Blonde Thor is Disney/Marvel
| Trademark), etc. etc. Plenty of restrictions on Free
| Speech in practice.
| dragonwriter wrote:
| > You can't say "Hobbit" in your own stories
|
| You can, though.
|
| You can't use it to _market_ your stories or other
| products, and there 's some manners of use innthr body of
| a book that might run some risk of liability for dilution
| or tarnishment, but...
| RobotToaster wrote:
| >"Fire in a Crowded Theater"
|
| That one's apparently a myth.
|
| https://reason.com/2022/10/27/yes-you-can-yell-fire-in-a-
| cro...
| dragontamer wrote:
| Libertarian website argues Libertarian viewpoints. News
| at 11.
|
| I'm more inclined to believe Supreme Court Justice Alito
| over a Libertarian website. Especially because a sitting
| Supreme Court Justice literally will preside over the
| case and make a decision based on their own
| ethics/process/whatever.
|
| An entire article that starts off with "BTW: Supreme
| Court Justice is wrong on subject" is... well... that's
| not how this works. The Supreme Court justice literally
| defines (or at least, is 1/9th of the definition) of our
| country's legal interpretation.
|
| If the Supreme Court says "Obamacare is a tax", then its
| a tax. No if, and, or buts about it. It can be as
| ridiculous or contrived an argument they want, its the
| purview of the Supreme Court. They are the final say on
| any of these legal matters.
|
| And unless "reason.com" (or any other libertarian source)
| somehow manages to get the ear of the other Supreme Court
| Justices to believe their argument, I think I can safely
| ignore their article there.
|
| But they know that. I'm guessing they're just trying to
| clickbait readers and make somewhat sketchy arguments for
| more clicks + plant more articles that are aligned to
| libertarian values (as is the point of reason.com).
| [deleted]
| SllX wrote:
| 1. It was _falsely_ shouting fire in a crowded theater,
| and it was not formative of the opinion itself (Schenck
| vs United States) but rather an aside.
|
| 2. Schenck vs United States was largely overturned by
| Brandenburg vs Ohio, but this aside was still non-
| jurisprudential.
|
| 3. I am unfamiliar with Justice Alito's opinion on the
| matter and you didn't cite it, so with no context I will
| only temporarily defer to you for the purpose of saying
| this: SCOTUS makes jurisprudence through the rulings and
| opinions they hand down when they take a majority vote in
| conference, draft opinions and sign on to them. One
| Justice does not make jurisprudence over a statement
| which itself was never jurisprudential.
|
| Reason wears their ideological stripes on their sleeves,
| but this is still essentially a myth that doesn't die and
| a fuller explanation of it isn't a matter of ideology.
|
| You still shouldn't falsely shout fire in a crowded
| theater, as people will die. You also shouldn't pretend a
| fire isn't there or part of the show either as people
| will also die. Basically, if there's a fire in a theater
| you're in, just be glad for modern building and fire
| codes.
| dragontamer wrote:
| > 2. Schenck vs United States was largely overturned by
| Brandenburg vs Ohio, but this aside was still non-
| jurisprudential.
|
| This here is the evolving nature of the court that I want
| to highlight most of all however.
|
| In 1919, the Supreme Court believed one thing. Later, in
| 1969, half-a-century later, it believed another thing and
| overturned the earlier ruling.
|
| As an organization, the Supreme Court tends to try to be
| consistent. But its not always true, and certainly in
| these days where we've had a dramatic change in the
| makeup of the court + filled it with young justices,
| we're going to see a big change in how the court writes
| opinions in the years, and decades, to come.
|
| -----------
|
| Laws are written. Constitutional Amendments are written.
| A few years ago, the 4th Amendment protected a woman's
| right to privacy and therefore Abortion. That's no longer
| true today. Etc. etc. Just a modern quickie example about
| how changing opinions can change our understanding of
| long-standing laws (or Constitutional Amendments) from
| the 1700s.
|
| Generally speaking, the Supreme Court is trying to do
| what's right for our court system. To have laws
| interpreted consistently over time, and across the
| country.
| ajross wrote:
| > Such subpoenas are clandestine surveillance of citizens
| by their state. The problem with such types of surveillance
| in particular is the lack of accountability.
|
| I never know how to interpret statements like this. The
| fourth amendment guarantees court oversight over search and
| seizures. A court signs off on every subpoena issued
| anywhere in the USA. Are you making this argument from the
| perspective of "I didn't know courts were involved" or "I
| don't view courts as sufficient oversight".
|
| If it's the latter... what's your alternative? Eliminate
| gag orders (which is all this is) entirely? You realize
| that there's a lot of stuff that happens in courts that we
| all agree should not be public, both for privacy and law
| enforcement reasons. Why get upset over this one particular
| thing?
| riazrizvi wrote:
| The USA is a country of laws. It's possible that people
| submitting packages are submitting illegal malware;
| spyware, ransomware, software to steal crypto money, or run
| illegal ticket-buying bots. Ethical oversight is baked into
| the institutions through governance structures.
| Institutions aren't perfect. Also there tend to be more
| complaints in the media about a country's institutions than
| in regions where there is not a free press. So the voices
| complaining online don't necessarily correlate with where
| the problems most lie.
| [deleted]
| Loquebantur wrote:
| Describing the US as a country of laws is a little funny.
| The mere existence of laws does not imply much.
|
| Your examples are even weirder. How would such
| malfeasance justify clandestine observations? That is
| clearly disproportional, thus unethical.
|
| Claiming governance structures were "baked into"
| institutions is pure hopium. Democratic oversight means,
| there must be transparency enabling you as a citizen to
| detect and react to misconduct, at least by proxy.
|
| The "free press" isn't free to report and investigate
| such subpoenas, obviously.
| williamcotton wrote:
| If law enforcement was never allowed to engage in
| clandestine operations then it would hamper their ability
| to build a case against and/or apprehend criminals. Case
| in point, organized crime syndicates.
|
| This is why the majority of your fellow citizens disagree
| with you and are fine with the current state of affairs.
| yrnameer wrote:
| > Ethical oversight is baked into the institutions
| through governance structures.
|
| Kind of a shocking assumption to make. Over the past
| several decades it has become increasingly apparent how
| our governing structures have no inherent relationship
| with ethics.
| lazide wrote:
| At least they get to subtly communicate they can't talk,
| instead of being Jack Ma'd.
|
| The constitutional justification is the same one behind not
| being allowed to yell 'fire' in a crowded theatre if there
| is none, or not being able to go on TV and threaten the
| Judge overseeing your case - 'the constitution is not a
| suicide pact'. [https://en.wikipedia.org/wiki/The_Constitut
| ion_is_not_a_suic...]
|
| As to if it is being abused? Guaranteed. Being prevented?
| Not effectively. Only the occasional leak of the abuse and
| corresponding consequences (if any) seem to be
| counteracting it, and even then not well.
|
| Sunlight is the best disinfectant, and most of the national
| security apparatus is solidly in the dark, and has been for
| a long time.
| mike_d wrote:
| > How does the ethical use of this prolematic tool get
| ascertained? Where and how is the democratic oversight
| implemented? How is misuse treated and prevented?
|
| I can't speak specifically to this case, but in general
| when asking a judge for the warrant they also provide
| compelling evidence that harm would come from disclosure.
| The judges weigh the rights of the targeted and other
| parties that would be subject to a gag order against the
| greater good.
|
| To answer your last two questions, all gag orders
| eventually expire. It isn't a prohibition against the
| impacted party speaking out, just a delay. They can go
| directly to the judge or appeal to a higher court.
| yunohn wrote:
| > It isn't a prohibition against the impacted party
| speaking out, just a delay.
|
| It's exactly this "it's totally fair, surely it's not
| ridiculous" attitude that shows how the powers control
| the people.
|
| Gag orders and secrecy agreements can definitely be
| indefinite and regularly are.
|
| https://web.archive.org/web/20220809113138/https://cdt.or
| g/i...
| tru3_power wrote:
| Is this related to that Microsoft disclosure?
| whimsicalism wrote:
| > as allowed by the lack of a non-disclosure order associated
| with the subpoenas received in March and April 2023.
|
| Yeah no way they haven't had other subpoenas then.
| junon wrote:
| Good on the PyPi folks. This is an incredibly well done
| disclosure, an example to be sure.
| BrandoElFollito wrote:
| I wonder why such organizations that hold critical data for the
| community at large do not use an international canary system.
|
| Should one of the countries issue an order, the ones outside of
| its jurisdiction can openly disclose the information. Say if the
| US forces the US entity to not do something, the French one sees
| it and can warn all users.
| detaro wrote:
| "I've been ordered not to tell the details, but I know you will
| publish them, so I'm going to tell you the details" is not
| going to be taken as "obeyed the order" by law enforcement or
| courts.
| BrandoElFollito wrote:
| Sorry but I think I do not understand (English is not my
| first language). Who would be in trouble?
|
| In case anything happens with the content of the service, the
| detail of the changes would be made clear by someone outside
| the jurisdiction.
|
| A typical example is TrueCrypt that, one day, changed their
| page to say to use something else instead of their product.
|
| If the code was shared between several countries, the others
| could simply publish that this and that was changes out of
| band, and that it means that the code is now positively
| unsafe.
| sneak wrote:
| > _" IP download logs of any Python Package Index (PyPI) packages
| uploaded by..." given usernames_
|
| This is way overbroad. The fact that a judge granted this is very
| bad.
| duskwuff wrote:
| It's hard to say that it's "overbroad" without knowing the
| details of the situation.
|
| It's not hard at all, on the other hand, to imagine situations
| where this would be a reasonable request. Probably the most
| obvious would be if the packages contained material which was
| illegal to possess or distribute (like CSAM). Another would be
| if the packages were being used as part of a malware C&C
| operation -- knowing what IP addresses downloaded the packages
| would aid in determining the scope of the campaign.
| kjs3 wrote:
| We get "please provide the logged IP addresses of user X"
| subpoenas on a weekly if not daily basis. Which law school did
| you go to so I can tell our corp counsel they've been doing it
| wrong and stop asking?
| robryk wrote:
| Note that GP complains not about the request for IP addresses
| of user X, but the request for IP addresses of anyone who
| downloaded content uploaded by user X.
| tw-0981230981 wrote:
| You should re-read the quote. This was not a request for the
| IP addresses of the users in question, but for the everyone
| that downloaded any packages uploaded by those users.
| throw_a_grenade wrote:
| So just yesterday PyPI announced they're retiring cryptographic
| signatures: https://news.ycombinator.com/item?id=36044543.
|
| It's hard to keep those things separated. I would very much like
| the code submitted to PyPI be protected end-to-end by
| cryptographic signatures, when PyPI has either no resources, or
| no spine to stand up to a government. Any signatures, even PGP,
| which should be in place until someone provides better mechanism.
| dvt wrote:
| Most likely caused by phishing, ransomware, or (unlikely) crypto
| mining. I'd bet someone from some agency had credentials leaked
| due to a malicious package. Honestly, PyPI is stuck between a
| rock and a hard place, but having something like a "verified"
| badge (where someone's real identity is tied to it) for certain
| packages would go a long way to ensure some level of security.
|
| The problem gets a bit hairier when dealing with dependency
| chains, however.
| snapcaster wrote:
| Really weird, anyone have some inside gossip on what this is
| about?
| paulpauper wrote:
| maybe to do with web scrapping, auto-posting spam, etc.
|
| https://www.developer-tech.com/news/2023/may/22/pypi-suspend...
| yuvadam wrote:
| Subpoenas are from March and April, predating the spamming of
| the past few weeks.
| richbell wrote:
| PyPI has had a pretty consistent spam problem for a while
| now.
| paulpauper wrote:
| it likely shows that it was an ongoing problem
| Retr0id wrote:
| The most optimistic reason would be that they were
| investigating a supply-chain attack, or something of that
| nature.
| bhouston wrote:
| I wish it was that but those people would be smart enough to
| not use their real name when signing up - those doing supply
| chain attacks are often at least somewhat professional and
| take precautions.
|
| I suspect it was more about going after software that was
| enabling piracy, those are often created by naive students
| who are not expecting the power of government to be unleashed
| on them.
| nibbleshifter wrote:
| > those doing supply chain attacks are often at least
| somewhat professional and take precautions.
|
| Not really.
|
| The vast majority of supply chain attacks in practice are
| idiots exploiting namespacing, bitflips, or typos on
| pypi/npm to drop miners or infostealers.
|
| Yes, even the shit tier supply chain attacks count :)
| commandlinefan wrote:
| This makes me wonder... it's entirely possible that the PyPI
| people would be enthusiastic about helping to track down
| offenders, and their users might agree, _if they knew what
| the offense was_. Instead, they're presented with a typically
| antagonistic demand for details, so they understandably get
| defensive on behalf of their users. I wonder if there's not a
| better, less heavy-handed way to get cooperation with law
| enforcement when the request is reasonable.
| Retr0id wrote:
| Personally I would rather not set a precedent of handing
| data over to government agencies just because they ask
| nicely, even if it seems like it's for a mutually agreeable
| good cause. That is, I would rather they go through these
| "formal" channels, even if it seems a bit heavy-handed.
|
| Further, whatever they're investigating here is probably
| "important", for some definition of important, so they
| likely value the ability to lean on non-disclosure clauses
| etc.
| jamesmurdza wrote:
| It could be related to the large number of malicious or booby-
| trapped packages that have been uploaded recently to the index.
| foota wrote:
| My guess? A hacking case against someone for typosquatting or
| malicious packages or something.
| guhcampos wrote:
| Could be anything I guess, even legitimate reasons. T Think of
| the supply-chain attacks going on in the past few years. I'd
| say investigating these would be a legitimate reason for a
| subpoena.
| [deleted]
| jehb wrote:
| Suggestion: Start slipping unique URLs into the "hidden" backend
| fields of systems where you'd like to know if your data was
| breached, improperly used, or handed over to a three letter
| agency.
|
| Suddenly getting hits at mydomain.com/[uuid]? At least you know
| somebody has looked at the data, or at the very least fed it
| through some processing tool that is extracting and visiting the
| URLs.
| mmsc wrote:
| This is called a canary and can be used in so many places:
| https://blog.thinkst.com/2022/09/sensitive-command-token-so-...
| austinjp wrote:
| I'm pretty sure I've seen a SaaS that does this, but I can't
| remember the name.
| tailspin2019 wrote:
| https://canarytokens.org
| tgbugs wrote:
| One theory that I don't see mentioned yet is that someone used an
| upload to pypi to exfiltrate data or simply as a way to upload
| arbitrary data somewhere. In a sense pypi is just a file hosting
| service, so it could have nothing to do with any actual python
| projects at all.
| rocqua wrote:
| Interesting approach to data exfil. Though it seems predictable
| that exactly this kind of subpoena would be issued. If you can
| predict it, you can probably mitigate it.
|
| Which means the subpoena would only be useful if the criminals
| made an opsec mistake. That is generally how most sophisticated
| criminals get caught, but here it feels like anyone inventive
| enough to try will probably also be prudent enough not to leave
| a trail.
| Zetice wrote:
| Dumb legal question; what's the difference, if any, between
| "We've been subpoenaed" and "Someone had a warrant for data"?
| paxys wrote:
| Warrant = we (police or other authority) have the right to come
| and search your property for evidence.
|
| Subpoena = the court compels _you_ to hand over the evidence we
| need.
| woodruffw wrote:
| Subpoenas are orders, but they're not necessarily court-
| issued. Warrants, on the other hand, _are_ court-issued --
| the police can 't issue warrants on their own in the US.
| rocqua wrote:
| A warrant for a things isn't an order to the owner of that
| thing. It's an order to (and peemission for) officers to go
| and seize the thing.
|
| You get shown the warrant to prove that they have
| permission, not to order you to comply.
| woodruffw wrote:
| Yes, I'm aware -- my other comment says that.
|
| I realize this comment is a little ambiguous: the order
| in the warrant case is an order by the court _to the
| court 's officers_ to perform an arrest, seizure, etc.
| It's not an order for you (the subject of the warrant) to
| comply.
| [deleted]
| woodruffw wrote:
| Not a dumb question: a subpoena is an order to provide
| information or access, while a warrant is a court-issued
| document authorizing the government (or an agent of the
| government) to perform an act (e.g., an arrest, or seizure of
| an item).
|
| Subpoenas can be issued by attorneys (including prosecuting
| attorneys) as part of the investigative and discovery
| processes.
| indymike wrote:
| Subpoena = "Ask firmly, but nicely"
|
| Warrant = "Back up the van and haul it away"
| schoen wrote:
| The subpoena is a command to the possessor of the data, which
| tells the possessor of the data to produce it, with a
| particular deadline. Since this deadline is in the future, the
| subpoena can be challenged legally (normally by requesting a
| court to "quash" it; more riskily, sometimes by complying
| imperfectly or not at all, and then arguing in response to an
| attempt to punish the noncompliance that this was reasonable).
| A subpoena can be issued by many entities, for example
| including some law enforcement entities themselves, or a lawyer
| actively involved in litigation. (Yes, lawyers can personally
| write and issue subpoenas.) The subpoena is, however,
| _enforced_ by a court, in the sense that the court is asked to
| punish people who fail to obey it.
|
| The warrant is a command to a law enforcement officer, which
| allows the law enforcement officer to personally go and search
| and seize things (or people), while overriding some rights that
| would normally prevent this. Normally it is issued by a court.
| Generally there is no way to challenge a warrant to prevent its
| execution, because it is not disclosed to the target before
| it's executed (i.e., a law enforcement officer shows up with
| the warrant and begins executing it immediately, by force if
| necessary).
|
| (Edit: I wrote above that it's risky to comply imperfectly with
| a subpoena and then argue in court that this was reasonable,
| but usually if _a lawyer gives a professional opinion_ that the
| subpoena is invalid or overbroad for some reason, then the
| recipient of the subpoena won 't be punished for following that
| advice. The lawyer may also attempt to negotiate directly with
| the issuer of the subpoena, for example by sending a letter
| explaining why the the subpoena appears to be invalid. The
| legal standards for issuance of subpoenas are also pretty
| broad. For civil litigation, _which is not what DoJ is doing
| here_ , they are set out in
| https://www.law.cornell.edu/rules/frcp/rule_26; notably, they
| can be issued to third parties.)
| therein wrote:
| Really nice response, I'm not the one who asked the question
| but I learned something from your response.
| zerealshadowban wrote:
| They log too much data about their users.
|
| So they should promptly update their policies to a) stop logging
| so much, b) delete all past logs, and c) sharply limit the span
| of time until deletion of whatever logs they decide they really
| need to track for internal needs.
|
| They should avoid logging, and rapidly rotate logs, to thwart
| future subpoenas from the total surveillance state.
| takeda wrote:
| For the kind of service they are providing I think the logging
| is appropriate.
|
| I mean if DOJ is interested in PyPI logs the only reason I
| could think of, is if it was used as a supply chain vector into
| breaking in into other organizations.
| manicennui wrote:
| Did you bother reading the post?
| Jeff_Brown wrote:
| I didn't get very far. (Not the OP.) What's the punchline --
| they will log less in future? They can't? They shoudln't?
| einpoklum wrote:
| Here is what I consider the key section:
|
| > The privacy of PyPI users is of utmost concern to PSF and the
| PyPI Administrators, and we are committed to protecting user data
| from disclosure whenever possible. In this case, however, PSF
| determined with the advice of counsel that our only course of
| action was to provide the requested data. I, as Director of
| Infrastructure of the Python Software Foundation, fulfilled the
| requests in consultation with PSF's counsel.
|
| The first part of this section contradicts all of the rest. If
| user data privacy is of "utmost concern", then it is a concern
| above fulfilling legal obligations under US law. Plus, such
| supposed obligations must be staunchly fought before even
| considering whether or not to observe them. So, in fact, user
| data privacy is a minor concern for the Python Software
| Foundation, while swift prostration towards the US federal state
| is what's of utmost concern.
|
| Of course, they almost admit it themselves. If we carefully read
| the second clause, they don't say "we're committed to protecting
| user data from disclosure", but - the "we're committed... when
| possible". So, they're saying that if they believe it isn't
| possible to protect, they have _no_ commitment to try their
| utmost to protect. i.e. when they see fit, user data protection
| is _not_ a concern at all. ... ok, ok, it is a public relations
| concern.
| stjohnswarts wrote:
| I don't have a problem with this as it was 5 particular users and
| not "give us all the data for for all your users". They didn't
| really have much of a choice. I don't think they would have had a
| choice in any of the 5 eyes countries or their allies
| gjmacd wrote:
| I would point to Jim Jordan and all the other Republicans after
| January 6th who didn't honor a subpoena and toss them in the
| trash. Nobody in our government honors them, why should we in the
| private sector? What's going to happen, they going to raid
| offices and get a bunch of PC's and books?
| ur-whale wrote:
| > We will not be releasing the usernames involved publicly or to
| the users themselves.
|
| Emphasis on the last part: or to the users themselves.
|
| In other words: unless they actually let the users involved in
| spite of claiming the opposite, the whole article is complete
| posturing.
| burnished wrote:
| What a weird take
| ralmidani wrote:
| Does a "subpoena" mean a judge was involved? The post says the
| subpoena was issued by the DOJ.
| tptacek wrote:
| It means a court is involved, but not a judge.
|
| _Edit_
|
| Even that is technically wrong; some DOJ subpoenas are
| apparently preauthorized by statute.
| idlewords wrote:
| There's a pretty extensive list of administrative subpoena
| authority here:
|
| https://www.justice.gov/archive/olp/rpt_to_congress.htm
|
| tl;dr: Everyone from the Appalachian Regional Commission on
| down can subpoena you without a court being involved. And of
| course Congress has inherent subpoena powers.
| tptacek wrote:
| Oh, this is so cool. Thank you!
|
| This is a step towards answering my noodly question earlier
| in the thread: authorization for NDAs and "gag orders" in
| subpoenas appears to be controlled by (varying) statutes.
| etaioinshrdlu wrote:
| Amazing how upset users here get over the very reasonable
| response to very normal police work.
| throwaway_13140 wrote:
| Agreed - how else was the DOJ supposed to do their job? They
| clearly need the data for an investigation. No need for PyPI to
| give information about how current users can alter their
| accounts to thwart future requests.
| sneak wrote:
| Normal police work doesn't go fishing for the IP addresses
| (potentially millions of users) of everyone who downloaded a
| package.
|
| > _" IP download logs of any Python Package Index (PyPI)
| packages uploaded by..." given usernames_
|
| Do you feel the same way if the cops are receiving the IPs of
| everyone who downloaded yt-dlp? IP addresses and timestamps
| resolve to physical locations and oftentimes street addresses.
| ranger_danger wrote:
| In the US at least, it has been ruled that an IP address is
| not sufficient evidence to link activity to any particular
| person. You could have been hacked for example.
| buzzscale wrote:
| That doesn't make any sense though. What benefit would DOJ
| get from getting the IP address of everyone who downloaded
| ytp-dlp? They aren't the enforcement arm of google's terms of
| service, which is a civil matter.
|
| Even if they were, and the DOJ was going for a dragnet
| operation to go after tools that could potentially infringe
| terms of service of big corporations, they would go after
| every tool and every fork. Not just 1 package. But again,
| what court would allow such action and why?
|
| If I was in the DOJ and was investigating a malicious package
| uploaded to PyPI, I would ask for the IP's of the downloaders
| to see if the uploaders dun goofed and downloaded their
| package shortly after uploading off VPN. Or to find out if
| any major corporations were impacted by downloading the
| malicious package and to inform them.
| etaioinshrdlu wrote:
| (Deleted comment as it was wrongly assuming bias)
| ewdurbin wrote:
| no. they wanted the downloads by randoms. we don't store
| those with IPs
| subarctic wrote:
| I think you're reading it wrong too - it says "IP download
| logs of any Python Package Index (PyPI) packages uploaded
| by the given usernames". So that's anyone who downloaded
| those packages, not just the specific users' download
| activity.
| Vervious wrote:
| Yeah, I feel like this crowd sometimes forgets that the
| department of justice exists first and foremost to keep us
| safe.
|
| With PyPi hosting a ton of malicious packages and malware,
| certainly I am not morally opposed.
| winrid wrote:
| Same with the dozen street cameras at every intersection in
| China, right? Right? :)
| unethical_ban wrote:
| It's truly disheartening to see examples where someone
| (presumably a real human) thinks that all law enforcement,
| across all nations and times, and in all cases, are equal.
| willdr wrote:
| They are equal insofar as they exist for the same
| purpose.
| winrid wrote:
| I didn't say equal, did I?
| misterpigs wrote:
| I love this level of transparency.
| voynich wrote:
| Yeah, whether necessary or not, it's still nice to have such a
| level of detail in a transparency report.
| tomjen3 wrote:
| > We will not be releasing the usernames involved publicly or
| to the users themselves.
|
| Which is the most important part.
| tptacek wrote:
| They're not allowed to release that.
|
| _Edit_
|
| I read 'chaps as saying there was an NDA on the subpoena, but
| apparently there wasn't, so this might just be flatly wrong.
| remram wrote:
| Even in the absence of NDA, are you allowed to? Counsel has
| apparently advised them not to. Would it not carry the risk
| of being complicit to a crime?
| kevin_thibedeau wrote:
| Disclosing facts is not a crime.
| rocqua wrote:
| Perhaps there is no NDA on the fact that subpoenas were
| issued, but still an NDA on whom they were issued about?
| Limiting The scope of such an NDA feels like a plausible
| result of negotiations after a motion to squash the
| subpoena.
| AnotherGoodName wrote:
| The NDA isn't the only reason you don't risk interference
| in an ongoing investigation though so regardless the basic
| point still stands.
| throwaway_13140 wrote:
| Do you still love it if it enables a terrorist or otherwise
| very bad person to evade capture?
| evandale wrote:
| Not OP but yeah. I don't buy into the whole "to protect you
| from bad people I need to erode your rights" argument.
|
| Never made sense to me. Terrorists and other very bad people
| usually aren't in the business of following laws so I don't
| know what crimes you'd prevent by weakening the rights of
| everyone else.
| M3L0NM4N wrote:
| I mean, surveillance reduces crime. Wherever you fall on
| the spectrum of surveillance/privacy, I can guarantee if
| the government read everything everyone wrote/texted/read
| and recorded their every move, there would be less crime.
| menus wrote:
| Great to know that. I'll let the parents of Uvalde know
| how surveillance reduced crime on the 1 year anniversary
| of the school shooting.
|
| Surveillance does not reduce crime, tending to people's
| basics needs so that they don't need to commit crimes
| reduces crimes.
| Danjoe4 wrote:
| Yes. Truth itself stands at the top of the moral hierarchy.
| It can stand alone without any justification. "You told the
| truth" will never be immoral, consequences be damned.
| Aachen wrote:
| Climate activism is also being considered an act of terrorism
| by some now (particularly some Christian party in Germany),
| dunno if those people label themselves as 'very bad persons'.
| Probably goes for all terrorists, but this might be easier to
| relate to as it's grounded in reality and we'd likely agree
| with the change they seek
|
| Child porn and terrorism are the favorite subjects of
| politicians looking to enact a new law but idk if it's good
| to follow that thinking and use it as an example as opposed
| to a serial killer or something
| SV_BubbleTime wrote:
| Sure. But I would love if they had considered this from the
| start:
|
| >As a result we are currently developing new data retention and
| disclosure policies.
|
| "I guess we don't actually need that" should have been the idea
| from the start.
| thih9 wrote:
| After a quick glance at the information listed in the report
| I didn't notice excessive data collection on pypi's part.
|
| I'd say they followed "I guess we don't actually need that"
| approach reasonably well so far and good for them if they
| want to improve that even more.
| itake wrote:
| I can't tell if this is sarcastic.
|
| While they are transparent the events happened, they are not
| transparent about which packages and what authors are being
| flagged, which is unfortunate.
| thih9 wrote:
| Is it possible that they can't publish that? Perhaps even not
| allowed to say that they can't publish that?
| einpoklum wrote:
| > While they are transparent the events happened
|
| Considering they are admitting they will always obey
| government commands, including regarding non-disclosure of
| actions to affected users, it is prudent to assume they are,
| in fact, not transparent about events; only about those
| events which the government has let them tell you about.
| Other events (e.g. National Security Letters) may or may not
| have occurred.
| b33j0r wrote:
| Why don't nerds get the same rights?
|
| According to US news over the past 3-4 years, you can just ignore
| subpoenas, then get a contributor job on a cable news network.
| Bonus points, the more you flout the law as arrogantly as
| possible ;p
| jacquesm wrote:
| > We will not be releasing the usernames involved publicly or to
| the users themselves.
|
| Why not to the users themselves? Have they been prohibited from
| doing so? (TFA does not say afaict)
| ruffrey wrote:
| Often subpoenas are part of an ongoing investigation, and they
| require not releasing information to those who's data was
| subpoenaed.
| tptacek wrote:
| The subpoena probably includes a nondisclosure clause; a court
| order certainly would. The mechanics of nondisclosures on
| subpoenas is interesting and I don't totally understand it (by
| definition, a subpoena is a document authorized by someone
| other than a judge).
| jacquesm wrote:
| So is this message a way to obliquely signal to those users
| (whoever they are) that they may be under investigation
| without actual disclosure?
| can16358p wrote:
| That might get PyPI into trouble especially with a gag
| order which we can assume that they are forced to obey and
| forced not to talk about.
|
| PyPI would pretty much want to inform the users, but they
| probably simply can't (without getting into legal trouble).
| tptacek wrote:
| I doubt it. Most of these investigations (really: most
| federal computer-related investigations) are super boring,
| and are about things ordinary people wouldn't object to
| seeing investigated.
|
| We're a message board and we're thus optimized for drama
| over truth-seeking (it's just human nature). The truth of
| these kinds of events is usually not all that interesting.
| If it's something more dramatic, we'll hear more about it
| in the future. In, like, a sort of Bayesian sense, you can
| predict that any given subpoena or court order is going to
| be about a case nobody would bother sending warning signals
| about.
| bredren wrote:
| > Most of these investigations (really: most federal
| computer-related investigations) are super boring, and
| are about things ordinary people wouldn't object to
| seeing investigated.
|
| This is true. The result may be so boring local news
| wouldn't even cover it. In some cases you have to find
| the investigating agency's unremarkable press release and
| then dig for related court documents to even find out
| what happened.
| chaps wrote:
| There was no NDA: "We have waited for the
| string of subpoenas to subside, though we were committed from
| the beginning to write and publish this post as a matter of
| transparency, and as allowed by the lack of a non-disclosure
| order associated with the subpoenas received in March and
| April 2023."
| steve1977 wrote:
| ... for the suppoenas received in March and April 2023
| chaps wrote:
| Yeah, that was notably strange language for sure.
| tptacek wrote:
| Interesting! (I initially read this backwards and thought
| you were saying they did have an NDA).
| [deleted]
| jsjohnst wrote:
| > by definition, a subpoena is a document authorized by
| someone other than a judge
|
| Uhm, am I misunderstanding what you wrote, because that is
| definitely not true. Subpoenas require an officer of the
| court by definition (in the US anyway), which can be a judge,
| a court clerk, or even lawyers in some jurisdictions.
| tptacek wrote:
| Can a court clerk or a lawyer unilaterally create a
| nondisclosure requirement? It is not generally that case
| that a lawyer, absent a judge, can send you a document
| you're not allowed to disclose (though certainly lots of
| C&D's try to suggest otherwise).
|
| I'm sure the NDA stuff here is ironclad! I'm just curious
| what the mechanism is.
| jsjohnst wrote:
| > Can a court clerk or a lawyer unilaterally create a
| nondisclosure requirement?
|
| If they are acting as an officer of the court, which
| they'd need to be to sign off on a subpoena, I believe
| the answer is yes. The mechanism is called a "gag order".
| tptacek wrote:
| For subpoenas authorized under the Stored Communications
| Act, there's statutory authorization for DOJ to request
| time-limited NDAs, which makes me wonder if there needs
| to be explicit authorization for other kinds of
| subpoenas. This is the kind of noodling I'm doing here;
| I'm not trying to message-board my way to a first-
| principles argument that the NDA was bogus. :)
| lazide wrote:
| It's very common for a subpeona related to an ongoing
| investigation to include a gag order. For instance, if
| someone is investigating someone for a crime, and
| requests that users search history, the last thing they
| want is for Google et al to alert the user that this
| happened, as they may not be ready to arrest them yet and
| the target would flee.
|
| Same with wiretapping orders, or frankly a subpeona for
| pretty much anything from a third party.
| jacquesm wrote:
| I don't follow you, which NDA?
| vdqtp3 wrote:
| > Subpoenas require an officer of the court
|
| That's not entirely true.
|
| https://en.wikipedia.org/wiki/Administrative_subpoena
|
| Local organizations have come up with equivalents, although
| there is less (no?) statutory support for that.
| toast0 wrote:
| The users themselves already know their own usernames,
| presumably. They could let the users know they were subpoenaed
| without letting them know their username. :P
| shadowgovt wrote:
| That, or they have reason to believe the investigation is
| legitimate and they would prefer not to hinder it.
| jacquesm wrote:
| They say very explicitly that they do not know what it was
| about.
| shadowgovt wrote:
| There's a wide gulf between concrete knowledge and belief.
|
| I see an ambulance going lights-and-sirens behind me. I
| don't _know_ they 're on their way to or from a hospital,
| but I pull over because I have reason to believe they are.
| junon wrote:
| Weird analogy. An ambulance has a very narrow scope of
| responsibility. Legal processes have a very wide scope.
| Clearly this is related to a legal matter and not an
| immediate medical matter. But the nature of the legal
| matter could be a _very_ wide variety of things, ranging
| from lower court civil proceedings up to treason, etc.
| CodesInChaos wrote:
| They only wrote that they weren't told what it was about.
| However it might be obvious from the packages uploaded by
| those users (e.g. if they uploaded malware).
| weaksauce wrote:
| they have five usernames... that can narrow down what
| projects they were associated with pretty quickly to infer
| if there was something nefarious about them. though it
| could be entirely unrelated to their activity on pypi and
| be a trawl for leads based on username similarity from some
| other messageboard or activity that was used for
| illegality. though, thinking about it more, that seems
| legally dubious a reason to be able to get a subpoena
| issued for. ianal
| avgcorrection wrote:
| > The privacy of PyPI users is of utmost concern to PSF and the
| PyPI Administrators, and we are committed to protecting user data
| from disclosure whenever possible.
|
| Don't lead with this.
|
| > In this case, however, PSF determined with the advice of
| counsel that our only course of action was to provide the
| requested data.
|
| If you're going to say this.
|
| I'm not judging their decision. Maybe not going to prison is a
| greater concern to them. It's fine to just say that you thought
| it was best to comply because [lawyer reasons that you don't have
| to disclose to anyone]/ _counsel_.
|
| EDIT: Or say "there are bad people out there and we trust the
| DOJ". Whatever.
| tptacek wrote:
| Lighten up. Nobody's going to federal court to stop the DOJ
| from investigating botnets, carding rings, and ransomware
| scams, which is what these things are usually about. Nobody's
| mental model of PyPI was that they had Signal's priorities.
| mrguyorama wrote:
| Then they shouldn't say protecting their users are their top
| priority, because they have shown it is not. That's called
| lying. A correct statement would have been "we will comply
| with lawful LEO requests"
| junon wrote:
| How have they shown it's not, exactly? Really curious what
| you think they could have done better aside from blatantly
| going against laws in their jurisdiction.
| adamckay wrote:
| There's a difference between abiding by lawful court orders
| that have gone through judicial process and a friend in a
| police department calling in a favour.
| x0x0 wrote:
| Helping convict scammers, typo-squatters injecting
| malicious code, etc _is_ protecting their users. Just not
| the (likely) bad actors that are the subject of the
| subpoenas.
| hgsgm wrote:
| The fact remains, that unless you are willing to break
| the law, obeying the law is your top priority.
| junon wrote:
| If you're so inclined, you're welcome to make an anarcho-
| oriented package management system yourself. PyPi has
| never claimed to be one, though.
| [deleted]
| avgcorrection wrote:
| Then all the less reason to roll out the "of utmost
| importance" boilerplate. So what's your point?
|
| Also I don't see how being light-hearted has anything to do
| with this submission, Thomas.
| davidguetta wrote:
| Its just they have no choice. And when they do the choose
| their "utmost priority". Its not that complicated
| paulgb wrote:
| It's a completely reasonable reading of their message to assume
| that the "possible" in "whenever possible" roughly means
| "legal". I don't think any reasonable reading of it means to
| imply that they are willing to violate federal law.
| HelloNurse wrote:
| sudo give us user data
| avgcorrection wrote:
| Fair point.
| Mystery-Machine wrote:
| Oke way to protect user data is to NOT ask/collect data in
| the first place. What's the need of person's full name and
| address for? Maybe I'm missing the point, but I see zero
| reasons to have this data in the first place.
| [deleted]
| dubbel wrote:
| You are probably reading what data the DoJ requested.
| Further down in the blogpost (in the "Details" section)
| they state that they don't have a lot of the data
| requested and exactly what kind of data they could and
| did provide. Addresses are not requested by PyPI.
| junon wrote:
| And they state very clearly they don't have this
| information. In fact, PyPi seems to retain a very
| reasonable set of information, strictly related to the
| service itself. I found this disclosure to be entirely
| refreshing.
| masto wrote:
| If you read the whole thing, it's pretty clear they don't
| have the person's full name and address, and thus did not
| provide it. They do mention that it will be needed for
| organizations that sign up for billing when that feature
| becomes available.
|
| Other than possibly IP addresses, it seems like the only
| information they had available to disclose was close to
| the bare minimum needed to operate the service.
| avgcorrection wrote:
| That's the best principle to follow. Agreed.
| duxup wrote:
| I don't see anything conflicting in what they said.
|
| They can feel that way, and comply.
| avgcorrection wrote:
| Yeah. I was probably being a little too boilerplate (what
| looked like) -intolerant. ;)
| rektide wrote:
| It'd be lovely to see better patterns emerge to aggregate and/or
| anonymize data.
|
| Great respect for the response. Reevaluating data retention is a
| great move.
| jupp0r wrote:
| "9. IP download logs of any Python Package Index (PyPI) packages
| uploaded by the given usernames"
|
| This was the point where I was wondering if this is really about
| some malicious packages or something more along the lines of
| copyright infringement software.
| femto113 wrote:
| This definitely seems like a significant element of the ask,
| but for any popular package a list of all the downloaders would
| be pretty overwhelming in size (and I think of very limited
| utility). I'm guessing that some versions of some more obscure
| package(s) were identified as being used in an attack and
| they're either trying to identify potential attackers or other
| victims (or both) of that attack.
|
| From a 2021 article[1] about packages used to deliver malware
| "we have alerted PyPI about the existence of the malicious
| packages which promptly removed them. Based on data from
| pepy.tech, we estimate the malicious packages were downloaded
| about 30,000 times."
|
| For comparison yt-dlp has tens of millions of total downloads
| and gets downloaded over 70,000 times every day [2]
|
| [1] https://jfrog.com/blog/malicious-pypi-packages-stealing-
| cred...
|
| [2] https://pepy.tech/project/yt-dlp
| NelsonMinar wrote:
| Total speculation on my part but PyPI hosts yt-dlp, the
| unauthorized video downloader. https://pypi.org/project/yt-dlp/
| WhyNotHugo wrote:
| Unlikely, due to:
|
| > "Records of all Python Package Index (PyPI) packages uploaded
| by..." given usernames
|
| > "IP download logs of any Python Package Index (PyPI) packages
| uploaded by..." given usernames
|
| I don't think they'd want a list of packages uploaded by a
| given user if they were after yt-dlp devs. They'd be asking for
| a list of maintainers of a given package.
| phkahler wrote:
| Thanks, I was wondering what it might be about. That makes some
| sense.
| schleck8 wrote:
| No it doesn't. Noone at the government level gives a shit
| about a youtube downloader package, typosquatting would be
| way more likely. Pypi is riddled with malware AFAIK, they
| don't really moderate it.
| ed25519FUUU wrote:
| If yt-dlp was illegal the first thing they'd do is a takedown
| request, not a subpoena but leave it online.
| [deleted]
| vore wrote:
| I would think the government has bigger fish to fry than to
| spend time subpoenaing yt-dlp.
| Sparkyte wrote:
| I wouldn't be surprised if it was more of AI based
| impersonation stuff. AI in the government is big because
| people can use it impersonate people as a form of identity
| fraud.
| [deleted]
| dual_dingo wrote:
| Not a US cititzen, but "The government" is a wide term and
| any law enforcement agency would fit this, including the ones
| that are responsible to deal with things like copyright
| enforcement - that's exactly the type of fish they exist to
| fry ...
| vore wrote:
| Given the discussion around how lacking PyPI supply chain
| security is, how juicy of a target it is for attackers, and
| how critical infrastructure is probably relying on PyPI,
| yt-dlp is the last thing on my mind.
| ChuckMcM wrote:
| FYI for non US readers ...
|
| In the US, subpoenas come from the Justice Department
| (either state or federal depending on the crime for which
| evidence is being sought). The court that issued the
| subpoena is on it, and the person or entity being served,
| has the right to see _why_ some government agency felt it
| could aid in the uncovering of a crime that had _already_
| been committed. The person or entity then has the
| opportunity to challenge that in court prior to complying
| with it. This is sometimes informally called "quashing the
| subpoena." From my sister-in-law who is a defense attorney,
| the most common result of challenging a subpoena is to get
| what it asks for narrowed down to just what is plausibly
| responsive.
|
| In the article, this response: _As a result we are
| currently developing new data retention and disclosure
| policies. These policies will relate to our procedures for
| future government data requests, how and for what duration
| we store personally identifiable information such as user
| access records, and policies that make these explicit for
| our users and community._ Is good practice for limiting
| what a subpoena can request (you can 't give what you don't
| have).
|
| At Blekko we logged access records in such a way that we
| could use PII for 48 hours and then it was deleted. The
| CTO, Greg Lindahl, is a huge privacy advocate and this sort
| of architecture made it possible to get information to
| improve our ranking and service without compromising
| people's privacy. In practice I don't think any agency
| could go from "we have a suspect" to "issue a subpoena" in
| 48 hrs so it was a useful way for us to stay out of the
| crosshairs. The most interesting event was the FBI asking
| for information on IP addresses that had accessed their
| honeypot CSAM site. That turned out to be some of the
| machines in the crawling cluster. Given that the site was
| outside the crawl "horizon" and didn't rank (very few sites
| linked to it) it didn't even make it into the cache for
| rank analysis. But in that case the turn around time was
| impressive. Of course that is because they were just using
| their own logs to generate subpoena requests.
| throwaway09223 wrote:
| Google is a pretty big fish themselves.
|
| What usually happens is the large corporation lays out a case
| like "yt-dlp is responsible for billions in damages" and they
| press the DOJ to investigate and prosecute.
| sp332 wrote:
| While copyright infringement is usually a civil matter, there
| are times the DoJ gets involved. They even got a guy
| sentenced to jail for it in 2018.
| https://www.justice.gov/usao-ndga/pr/owner-sharebeastcom-
| sen...
| sam0x17 wrote:
| One would think that yes.... but this is the U.S. :/
| lazide wrote:
| The FBI has it's own 'copyright enforcement' division who has
| as their sole job enforcing copyright, and has it's own
| dedicated funding
|
| [https://archives.fbi.gov/archives/news/testimony/intellectua
| ...]
| RobotToaster wrote:
| Isn't copyright infringement a tort not a crime? Why is the
| FBI involved at all?
| qingcharles wrote:
| Depends on the level of infringement generally.
| lazide wrote:
| [https://www.justice.gov/archives/jm/criminal-resource-
| manual...]
|
| There is an applicable federal criminal law.
| slenk wrote:
| yt-dlp is everywhere - why would they go after pypi and not the
| source at https://github.com/yt-dlp/yt-dlp
| CarbonCycles wrote:
| What an odd article and release statement. It's almost as if
| they're signaling w-out literally signaling the parties of
| interest.
|
| Surprised the doj didn't issue any gag orders.
| rossdavidh wrote:
| One gets the impression that this was an artfully crafted way
| around the specifics of the gag order, to disclose whatever
| wasn't specifically prohibited by it. IANAL.
| throwaway_13140 wrote:
| Exactly. I guess the transparency is nice but at what point are
| you potentially helping someone cover their tracks who may or
| may not actually deserve that help?
| rolph wrote:
| [In March and April 2023, the Python Software Foundation (PSF)
| received three (3) subpoenas for PyPI user data. All three
| subpoenas were issued by the United States Department of Justice.
| The PSF was not provided with context on the legal circumstances
| surrounding these subpoenas. In total, user data related to five
| (5) PyPI usernames were requested.]
|
| either a small group of users, or one user with multi aliases
| wrote a nastyapp ?
| cubefox wrote:
| Apparently no plans to set up a canary.
| jrockway wrote:
| Is there any precedent for people not facing legal consequences
| for failing to update the canary? The subpoena probably says
| "and also update your warrant canary to say there were no legal
| requests." Now you're in contempt of court and in jail for 5
| years while you wait for your "compelled speech" case to go to
| the Supreme Court.
|
| In general, I think it usually goes poorly when programmers
| invent clever legal workarounds. The legal system isn't a
| computer program. It's guys with guns.
| JohnFen wrote:
| > The subpoena probably says "and also update your warrant
| canary to say there were no legal requests."
|
| I think that would be outside what can be done with a
| subpoena. It would require a court order.
| buildbot wrote:
| Isn't the idea that the (US) government can't (technically)
| compel you to lie?
| tptacek wrote:
| The US compels certain kinds of speech all the time.
| dwheeler wrote:
| The US government is not compelling speech, it's
| compelling PyPI to accurately reveal to the US government
| the contents of past speech that PyPI has access to.
| Compelling disclosure of certain kinds of data, when it's
| known, is a normal part of legal actions in the US and
| probably elsewhere.
| mrguyorama wrote:
| You can beat the wrap but not the arrest.
| waselighis wrote:
| I would think there are certain situations where a person
| might be compelled to lie, such as if you have a security
| clearance, have signed an NDA, or are acting as an
| informant. That is, a person may have to lie to prevent
| divulging classified or secret information through
| implication.
|
| EDIT: One situation where the government cannot compel you
| to lie is if it violates your fifth amendment rights (self
| incrimination).
| sigstoat wrote:
| those are all things you actively agreed to, in advance,
| in exchange for some sort of consideration (job, not
| going to jail for illegal things you've already done,
| etc)
| rossdavidh wrote:
| I have never heard any legally competent source say that
| the U.S. government cannot (with warrant or whatever)
| compel you to lie. I'm pretty sure that, in the case of a
| canary, they can.
| User23 wrote:
| The process is the punishment.
| linsomniac wrote:
| "Just because you're right doesn't mean you won't go
| bankrupt in a court of law proving it."
| dennis_jeeves1 wrote:
| That's real world wisdom...
| short_sells_poo wrote:
| That may be the case but if the cost of testing it is 5
| years in jail while the case works it's way through the
| courts, few people will be willing to rely on it.
| EatingWithForks wrote:
| The better question is: are you (or PyPI in this case)
| interested in a legal tussle with the US Gov?
| bitxbitxbitcoin wrote:
| Exactly. Warrant canaries are security theatre.
| actionfromafar wrote:
| Not always, if the entity has a stance to uphold and the
| money to fight back, it doesn't have to be.
|
| If a mom-and-pop shop or open source org, it's a faint hope
| at best.
| burnished wrote:
| Can a subpoena stipulate that?
| redox99 wrote:
| Can you provide any evidence of the US forcing someone to
| update their canary?
| snapcaster wrote:
| How would one even observe this evidence?
| metiscus wrote:
| The only way I can think of would be that after the case
| has ended it may be possible for a party who had been
| directed to update a canary under a court order to notify
| people that they had done that. It would probably depend
| on the court etc and I am not a lawyer.
| woodruffw wrote:
| I don't understand (genuinely, I'd like to!) what a warrant
| canary would have done here: this was a subpoena, not a
| warrant, and PyPI is a public package index.
| cubefox wrote:
| I'm obviously talking about a subpoena canary.
| Zetice wrote:
| If you can just say, "We got subpoenaed" in a blog post, isn't
| that even more effective than a canary would be?
| cubefox wrote:
| There was a delay.
| caturopath wrote:
| Canaries would be for times when they couldn't legally say
| that.
| waselighis wrote:
| Long ago, Apple included a warrant canary in their transparency
| report. One day, it disappeared. Nothing came of it.
|
| https://www.theverge.com/2014/9/18/6409575/apple-warrant-can...
|
| The problem with a warrant canary is there's too much doubt
| about why it disappeared. Did they actually receive a warrant,
| or is it just a decision from corporate to discontinue the
| practice?
| cubefox wrote:
| There can be some doubt, but too much?
| actionfromafar wrote:
| A decision from corporate to discontinue is also a signal.
| DANmode wrote:
| > why it disappeared
|
| The result is the same.
| tptacek wrote:
| Canaries probably don't work, which makes them worse than
| theater.
| skullone wrote:
| Why would they? It's a public repository, nothing confidential
| or private
| JohnFen wrote:
| Account details are confidential and private.
| __MatrixMan__ wrote:
| Kudos to PyPI for handling this professionally.
|
| That said, I think we should be working towards a world where
| they're unnecessary. As a middle party to what ought to be a
| developer/developer trust relationship, they're attack surface
| that threatens depender sometimes and dependee other times.
|
| Going peer-to-peer will be less convenient, but worth the
| investment in the long run.
| ChrisMarshallNY wrote:
| That's an excellent transparency report.
| [deleted]
| LordShredda wrote:
| I'm guessing some poor typosquatter managed to hit a gov agency
| and is about to get alphabet soup all over him.
| paulddraper wrote:
| > poor typosquatter
|
| :/
| fmajid wrote:
| More likely it is DRM-cracking packages.
| eur0pa wrote:
| That or fairly unlucky bug bounty hunters
| [deleted]
| nonrepeating wrote:
| "Get alphabet soup all over him"
|
| This is my new favorite alternative to "vanned" (or "v&")
| tenpies wrote:
| > "vanned" (or "v&")
|
| Also note that the noun associated with being "vanned" would
| be a "party van", not just a "van".
|
| To be vanned/V& is to have the glowies inside the party van
| take the vanned party away.
|
| https://knowyourmeme.com/memes/4chan-party-van
| the_jesus_villa wrote:
| lots of nostalgia for partyvan.org during the chanology
| days
| flyinghamster wrote:
| I think I'm gonna snarf that one too. It's just too good.
| techbro92 wrote:
| Think I'm gonna snarf snarf. Actually I just looked it up
| and apparently that word means to eat or drink greedily.
| Not sure why you used it here
| GrinningFool wrote:
| Also, https://en.wikipedia.org/wiki/Snarf_(ThunderCats)
| codetrotter wrote:
| https://youtu.be/ikiuMXuueL4
| nonethewiser wrote:
| Well you certainly snarfed it up
| pjbeam wrote:
| As in eagerly consume into poster's lexicon I think.
| lagniappe wrote:
| it means copy http://acme.cat-v.org/readme
| MisterTea wrote:
| All of plan 9 uses "snarf" in place of "copy".
| techbro92 wrote:
| Wow, that's insane
| labster wrote:
| Do they follow the Berne Convention on Snarfright?
| valleyer wrote:
| http://www.catb.org/jargon/html/S/snarf.html
| [deleted]
___________________________________________________________________
(page generated 2023-05-24 23:00 UTC)