[HN Gopher] PyPI Was Subpoenaed ___________________________________________________________________ PyPI Was Subpoenaed Author : quercusa Score : 661 points Date : 2023-05-24 17:28 UTC (5 hours ago) (HTM) web link (blog.pypi.org) (TXT) w3m dump (blog.pypi.org) | kjkjadksj wrote: | I don't understand how the information requested is relevant at | all for any purpose. Most users of pypi merely download through | pip; they arent registering anything. Furthermore, I would think | a bad actor who would register would spoof their ip and use | burner accounts anyhow. | caturopath wrote: | > Most users of pypi | | Presumably the 5 users in question were interesting in some | way, not just random. | | > I would think a bad actor who would register would spoof | their ip and use burner accounts anyhow | | Maybe, but they could find that out with the information. If | there's a 10% chance each was sloppy or un-paranoid, there's a | 40% chance they get at least one piece of real info. | | The person might not have thought they were doing anything | wrong. Some judge might have greenlit this for a piracy case | against the five maintainaers of youtube_dl{c} or something | silly. | buildbot wrote: | Correlating IP address use to something else happening at the | same time? Like a malware author being incredibly dumb and | using their home IP to upload PyPy packages, while IDK, using | that same IP as a C&C server endpoint. | shadowgovt wrote: | They may not even need to have slipped up and direct- | connected via their home IP. The FBI has sufficiently | compromised subsets of Tor in the past to do correlative | attacks on specific targets. | scrum-treats wrote: | It would be great to see this for VS Code extensions as well. | aa_is_op wrote: | By the number of malicious packages that site has hosted over the | past few months, this was only a matter of time. | | I've lost track of the number of "white hats" that contact us | with extortion requests after they used some dependency confusion | attack. | Mystery-Machine wrote: | Why is it an extortion request and "white hats" if they have | successfully found a security issue in your project and | reported it to you, without actually exploiting it? Would you | rather them not report it to you or even worse, exploit it? | JadeNB wrote: | > Why is it an extortion request and "white hats" if they | have successfully found a security issue in your project and | reported it to you, without actually exploiting it? | | Presumably because there is some demand for compensation | before disclosure? | dahwolf wrote: | Pay me or I will harm you is extortion, as simple as that. | | There's an entire industry now of people that check known | vulnerabilities (so they don't invent anything themselves) in | software/packages and cross check this against outdated | websites, at a very large scale. | | They have no morals or security ethics, they barely even have | knowledge, they just want to make money with the least amount | of effort possible. | | Don't ever pay them a cent. They're just as ruthless as | spammers. | autoexec wrote: | If several groups of people who "barely even have | knowledge" can profit from checking for well known | vulnerabilities on websites and reporting them I say more | power to them. | | If there is an entire industry of people doing low effort | work which then discovers vulnerabilities on a company's | website that company should pay them, and probably fire | some people they've already been paying for not putting in | even that much effort to secure their own stuff. | | Who is less ethical? The people reporting vulnerabilities | and wanting to be paid for it or the companies who don't | bother to invest in even basic security practices putting | people's data at risk and allowing scammers and hackers to | leverage those insecure systems to hurt others? | dahwolf wrote: | The word "companies" is doing a lot of work in your rant. | | The vast majority of websites on the internet do not have | a team behind them. That's exactly the reason why they | lack maintenance. | | So they're not intimidating well-funded companies, | they're intimidating that nice guy that in 2003 build a | website for the local bridge club. Volunteering his time | and money to do so. | cjsawyer wrote: | Sounds like they're the ones who implemented the bad code in | the first place, as a honeypot. That just extortion with | extra steps. | passion__desire wrote: | Why can't PyPI safeguard popular packages by making sure that | new packages are few (4 or 5) edit-distance away to make sure | popular ones don't get intermixed with malicious packages. Is | that difficult to implement? | rocqua wrote: | pip-env, pipe, pipes, sip, siv, lipo, etc Are all within an | edit distance of 4 from pip, and would all be blocked. | | Besides 'dependecy confusion' is not typo-squatting at all. | It is about having a public package that masks the name of a | private package repo. The default behavior of pip is to then | use the public repo, which can let outsiders who know | internal package names totally take over those internal | packages. | accrual wrote: | Is it still "white hat" if money or a transaction is involved? | My understanding is it's either black hat, the exploit is sold | for money. Red team, you paid to be exploited for your own | benefit. Or white hat, an exploit was found and it's | communicated to limit black hat and red team. White hat + money | would just be gray hat or blackmail. | rocqua wrote: | White hats can still get bug-bounties. Though if a company | hasn't published such a bounty and a hat 'extorts' the bounty | by demanding payment or else they will publish, that hat has | a tint of grey. | hajimuz wrote: | Dude I thought it's Chinese Gov. Hey, America!!! | rendx wrote: | Way too much unnecessary data collected and stored as usual. But | one of the best transparency reports ever. Thanks PyPI! | tomjen3 wrote: | >We will not be releasing the usernames involved publicly or to | the users themselves. | | They point out that they are not subject to a gag order. | buildbot wrote: | Yeah this is interesting, because they could in absence of the | gag order but choose not too. Unless it's not a gag order but a | specific don't tell these users anything? | stjohnswarts wrote: | I doubt any investigators worth their salt would let the | people they're investigating know that they are investigating | them before they're ready to charge them. | svaha1728 wrote: | If it takes subpoenas to get package management fixed in Python | so be it. Can the Rust Crates.io team take over Python management | as well? | firstlink wrote: | > associated with the subpoenas received in March and April 2023. | | Oddly specific wording there. It would seem they have received | additional subpoenas outside that timeframe which do have gag | orders, and someone slipped up and failed to put the gag orders | in these particular subpoenas. | | Seems like the DOJ may be doing some long-term fishing for, what, | software developers? First the DOJ came for the conservatives, | and I said, "go get 'em!" because I wasn't a conservative; next | the DOJ came for ____? | burnished wrote: | Step one: have position and power as part of a dominant group | | Step two: style yourself as an oppressed minority | | Step three: defend any action, decision, or position as a | persecuted martyr | bratbag wrote: | It's interesting how you manage to leap from what is probably a | supply chain attack investigation straight into a pErSeCuTeD | CoNsErVaTeS conspiracy. | metiscus wrote: | Across the ages, government has applied a disproportionate | level of scrutiny to groups and people perceived as dissidents, | minorities, and anyone else who could potentially be conceived | as a threat to institutional power regardless of the magnitude | of the threat or if that threat is true or false. Historically | this is a bipartisan issue, for decades the FBI vigorously | attacked anti-war groups, black civil rights groups, and | various left wing groups via COINTELPRO. I guess to summarize, | the way I think of it is that the government is coming for | anyone they see as a potential threat and it doesn't matter | what the politics of that group are. | wongarsu wrote: | > We have waited for the string of subpoenas to subside, though | we were committed from the beginning to write and publish this | post as a matter of transparency, and as allowed by the lack of a | non-disclosure order associated with the subpoenas received in | March and April 2023. | | That's suspiciously specific. Sounds to me like they also | received some other subpoenas they aren't allowed to talk about. | VWWHFSfQ wrote: | I think it just sounds like the three subpoenas they received | wongarsu wrote: | I'm not sure I'd call three subpoenas "a string of subpoenas" | even if it's technically correct. But I'm more talking about | specifically mentioning that the subpoenas from March and | April 2023 don't have a gag order. Why mention those months | specifically if in the other months they didn't receive any? | The natural thing would have been to end the sentence six | words earlier. | dragonwriter wrote: | > I'm not sure I'd call three subpoenas "a string of | subpoenas" even if it's technically correct | | I would if the sequence was such that the receipt of | eachbof thr subsequebt ones delayed writeup of the overall | incident in the interest of completeness or because there | was some relationship between them | | > the subpoenas from March and April 2023 don't have a gag | order. Why mention those months specifically if in the | other months they didn't receive any? | | Because you are doing an aggregate writeup of a series of | events and you want to convey when they occurred and why | you are able to do a detailed writeup. | florbo wrote: | It sounds more like they're addressing the inevitable "why | didn't you post as soon as it happened" party. | Eisenstein wrote: | It is perfectly clear that you are correct because trying | to tell anyone about confidential subpoenas could be | illegal. | hunter2_ wrote: | When it requires so much "reading between the lines" that | even this community doesn't have a strong consensus on | whether this is being (illegally) communicated or not, I | think it's plausibly deniable, but IANAL. Contrast with | well-known canaries. | dragonwriter wrote: | > That's suspiciously specific. Sounds to me like they also | received some other subpoenas they aren't allowed to talk | about. | | It could be, it could also be that they were trying to | communicate both the timing of the subpoena string and why they | are able to talk about it, and there aren't any others. | samanator wrote: | Yep, I was thinking the same thing. What a beautiful way of | communicating that. | tapoxi wrote: | Sounds like they got a National Security Letter. | bredren wrote: | Does not need to be an NSL to have a non-disclosure | attached. Could be a relatively minor (not very spooky) | federal investigation. | ajsnigrutin wrote: | How does that work with in combination of freedom of | speech? Is it one of those cases, where someone has to be | brave/foolish enough to disobey and take it to the | supreme court? | mike_d wrote: | > How does that work with in combination of freedom of | speech? | | The government is not preventing you from expressing your | free thoughts and opinions. They are compelling you to | not disclose the details of something you had no | knowledge of before they asked you about it. | | Nothing is stopping you from writing a blog post about | how it is unfair to seek records of a potential criminal, | but you cannot write about how it is unfair to seek the | records of Bob Jones when you had no other reason to | believe Bob was anything but a regular user. | itronitron wrote: | But you could post a unique blog post such as that about | every one of your users. | mywittyname wrote: | A judge signed off on it. Which means that the State made | a case for the subpoena to include a non-disclosure. | autoexec wrote: | I'm going to go ahead and guess "signed off on" was more | like "rubber stamped" | tracker1 wrote: | Most likely... but the party who was served the order can | file for appeal if they are willing to go that route. | That said, it doesn't mean any such appeal with favor the | party served the gag order. | amethyst wrote: | > I have not received a National Security Letter. | | source: https://durbin.ee/ as of Wed, May 24 at 1:45 PM PDT | Loquebantur wrote: | What a weird way to think about such events. | | Such subpoenas are clandestine surveillance of citizens by | their state. The problem with such types of surveillance in | particular is the lack of accountability. | | How does the ethical use of this prolematic tool get | ascertained? Where and how is the democratic oversight | implemented? How is misuse treated and prevented? | whitemary wrote: | > _Where and how is the democratic oversight implemented?_ | | What democratic oversight? This is the United States we're | talking about lol. | blibble wrote: | as a foreigner (in terms of the US), I've never understood | how these gag orders are compatible with the First | Amendment | | often there's posts on HN about how the UK and all other | Western European countries are totalitarian because they | don't have unrestricted free speech | | but then apparently the police (FBI) can restrict the free | speech of Americans without any court involvement at all? | | I really don't understand | xupybd wrote: | I don't like these gag orders but I can see times when | they are needed. Each person has a right to a fair trial. | So the courts sometimes have to suppress information from | the public to avoid potential jurors seeing information | about the case. They must only judge guilt based on what | they hear in court not in the media. | yrnameer wrote: | There are plenty of laws that aren't compatible with our | constitution. Judges will laugh a lawyer out of the | courtroom who uses constitutional arguments, and your | case will go nowhere. | [deleted] | komon wrote: | Well, due process is a right co-equal to free speech, so | which rights override which others in which circumstances | will come down to legal precedent. | | My understanding is that the FBI or other non-judicial | body cannot unilaterally issue a gag order. Subpoenas and | gag orders related to them are granted by judges. | | (Which isn't to say that the relationship between the | judicial branch and law enforcement bodies is always pure | and equal) | patrick451 wrote: | They aren't compatible with the first amendment. But at | this point, those rights are a joke and and all three | branches of our government regard the constitution as | toilet paper. | jakeinspace wrote: | Gag orders do require a court, just not a jury or an open | hearing. I agree that they should be unconstitutional. | [deleted] | make3 wrote: | the fbi is overseen by elected officials, and by laws | that were voted for it. it's not perfect but that still | makes a huge difference. | bboygravity wrote: | That explains the whole Trump Russia ties investigation | by the FBI I guess? | | Doesn't seem to healthy for any nation that is supposedly | democratic? | Loquebantur wrote: | Look at this thread. | | People engage in childish fantasies featuring themselves | in imaginary subversive behavior. | | It's unresolvable cognitive dissonance leading to | repressing and reinterpreting the cause. | wolverine876 wrote: | Civil rights, including those in the First Amendment, are | not absolute. Regarding speech, you also can't harass | people, threaten them, defraud them, incite violence, | distribute copyrighted information that isn't yours, | interfere with others' activities (sing loudly in a movie | theater), etc. Private entities such as your employer can | restrict your speech in many ways. | | > often there's posts on HN about how the UK and all | other Western European countries are totalitarian because | they don't have unrestricted free speech | | I haven't seen these posts. Do you have an example handy? | blibble wrote: | > I haven't seen these posts. Do you have an example | handy? | | here's one from earlier in the week: | https://news.ycombinator.com/item?id=36000459 | | they're pretty common, here's another one: | https://news.ycombinator.com/item?id=35617773 | weinzierl wrote: | Then following up on blibble's question: What _is_ the | difference to the UK and other western countries that | mostly also have free speech with what looks to me very | similar restrictions? | | Honest question, like blibble, I don't really understand | it either? | damiankennedy wrote: | In New Zealand where we don't have a specific | constitution or amendments we have a set a laws that end | up in the same place. An example is libel, which both | countries have laws against. In NZ such laws are debated | in parliament and voted on just as in the US. However in | the US there was an additional objection based on it | violating the first amendment but then the law was made | anyway so it seems politicians in the US can make laws | that override amendments in specific situations. The US | also has their Supreme Court which seems to play a far | more active role than NZ's and also more powerful in that | it can creates precedents in the interpretation of laws | for example allowing students to wear items of symbolic | protest in school. | all2 wrote: | The US's first amendment is rather unique amongst Western | nations. Basically it says "the government cannot | infringe on this inalienable right", that is the | government cannot govern speech. Here's the actual | language Congress shall make no law | respecting an establishment of religion, or prohibiting | the free exercise thereof; or abridging the freedom of | speech, or of the press; or the right of the people | peaceably to assemble, and to petition the Government for | a redress of grievances. | | The key phrase "or abridging the freedom of speech, or of | the press". | | As far as I know, this kind of language is absent from | other Western nations. For example, Canada jails people | for criticizing those of Islamic persuasion. [0] Note, | the article doesn't record what the accused actually | said. Here's a wikipedia overview of hate speech laws by | country [1], though it is wikipedia, so take it with a | grain of salt. Here's a somewhat relevant piece from | _Reason_ that takes an anti-hate-speech stance [2] where | the author details the unconstitutionality of hate speech | laws. | | "Free speech" as we understand it in the US is unique in | the world. | | As far as the restrictions at state and federal level, | these are considered unconstitutional, and you'll see a | large number of them struck down in various courts across | the country. Those in power definitely seek to expand | their powers and fortunately we have a law that allows | the citizenry to push back against that. | | [0] https://www.cbc.ca/news/canada/hamilton/muslim- | hate-1.614516... | | [1] | https://en.wikipedia.org/wiki/Hate_speech_laws_by_country | | [2] https://reason.com/2021/05/20/teen-arrested-under- | connecticu... | nceqs3 wrote: | You seem to be misunderstanding the First Amendment. | CSMA, classified information, defamation, copyright, etc. | are all not permitted under the first amendment. Not to | mention that gag orders are approved by a court and can | be appealed. | blibble wrote: | > Congress shall make no law respecting an establishment | of religion, or prohibiting the free exercise thereof; or | abridging the freedom of speech, or of the press; or the | right of the people peaceably to assemble, and to | petition the Government for a redress of grievances. | | seems pretty clear to me, at least for gag orders | | less so for the other stuff you mentioned (could you | argue pirated Disney movies are speech? probably not) | dragontamer wrote: | And the writers of the 1st Amendment went on to pass the | Sedition act of 1798. | | > That if any person shall write, print, utter. Or | publish, or shall cause or procure to be written, | printed, uttered or published, or shall knowingly and | willingly assist or aid in writing, printing, uttering or | publishing any false, scandalous and malicious writing or | writings against the government of the United States, or | either house of the Congress of the United States, or the | President of the United States, with intent to defame the | said government, or either house of the said Congress, or | the said President, or to bring them. or either of them, | into contempt or disrepute; or to excite against them, or | either or any of them, the hatred of the good people of | the United States, or to excite any unlawful combinations | therein, for opposing or resisting any law of the United | States, or any act of the President of the United States, | done in pursuance of any such law, or of the powers in | him vested by the constitution of the United States, or | to resist, oppose, or defeat any such law or act, or to | aid, encourage or abet any hostile designs of any foreign | nation against the United States, their people or | government, then such person, being thereof convicted | before any court of the United States having jurisdiction | thereof, shall be punished by a fine not exceeding two | thousand dollars, and by imprisonment not exceeding two | years. | | Welcome to America. Our laws contradict each other and | its all about politics. The Supreme Court figures out | where the line is drawn and what is, or isn't, legal | according to the Constitution. | | With regards to 1st Amendment, the limit is drawn today | at Libel, Slander, "Fire in a Crowded Theater", | pornography, and many other restrictions upon "free | speech". Gag orders included. | blibble wrote: | surely that Act is by definition unlawful? | | I still don't really understand | | in the UK: Parliament has unlimited power and people talk | quite a bit about formal constitutions being a good model | to be followed | | it seems a bit sad the attempt to protect the population | against government using a formal constitution doesn't | seem to work in reality (even when the wording is as | clear as day) | dragontamer wrote: | > surely that Act is by definition unlawful? | | Whose definition? | | Answer: The Supreme Court decides the definition of | things. Its only unconstitutional if the Supreme Court | says so. | | That's how the USA can get away with... I dunno... the | Office of Censorship in 1941. | (https://en.wikipedia.org/wiki/Office_of_Censorship). | Definitions change, not only due to different members on | the Supreme Court, but also due to different | circumstances (WW2 meant that the Supreme Court was | willing to ignore the obvious incursion into the 1st | Amendment, at least temporarily) | | EDIT: I always forget that it was actually the Office of | War Information that did the Hollywood Censorship thing ( | https://en.wikipedia.org/wiki/United_States_Office_of_War | _In...), rather than the Office of Censorship. | blibble wrote: | > Whose definition? | | I guess that's the underlying problem | | I'm not sure how you fix it really, though not having | direct political appointees as top judges might be a good | start | | (maybe put an LLM in charge of a supreme court? I kid, I | kid) | dragonwriter wrote: | > With regards to 1st Amendment, the limit is drawn today | at [...] "Fire in a Crowded Theater" | | No, and it never was. That was an _obiter dictum_ that | didn't accurately reflect the state of the law in the | decision in which it appeared, and the actual holding in | that case itself (now regarded as an intense intrusion on | core political speech) is no longer operative. | | It's a catchy turn of phrase that gets stuck in the mind, | but it was also an rhetorical device neither in a | decision that has since been substantively overruled, not | an actual example of an existing limit on free speech. | dragontamer wrote: | Well, if that particular phrase is poisoned, I guess I | could just say "Hobbit" instead, which is owned as a | trademark IIRC by the Tolkien estate and they're very | litigious about it. | | You can't say "Hobbit" in your own stories. But you can | say "Halfling", and that's how people tend to get around | that problem. Blonde Thor is Disney/Marvel (Historical | Thor was a redhead IIRC, so Blonde Thor is Disney/Marvel | Trademark), etc. etc. Plenty of restrictions on Free | Speech in practice. | dragonwriter wrote: | > You can't say "Hobbit" in your own stories | | You can, though. | | You can't use it to _market_ your stories or other | products, and there 's some manners of use innthr body of | a book that might run some risk of liability for dilution | or tarnishment, but... | RobotToaster wrote: | >"Fire in a Crowded Theater" | | That one's apparently a myth. | | https://reason.com/2022/10/27/yes-you-can-yell-fire-in-a- | cro... | dragontamer wrote: | Libertarian website argues Libertarian viewpoints. News | at 11. | | I'm more inclined to believe Supreme Court Justice Alito | over a Libertarian website. Especially because a sitting | Supreme Court Justice literally will preside over the | case and make a decision based on their own | ethics/process/whatever. | | An entire article that starts off with "BTW: Supreme | Court Justice is wrong on subject" is... well... that's | not how this works. The Supreme Court justice literally | defines (or at least, is 1/9th of the definition) of our | country's legal interpretation. | | If the Supreme Court says "Obamacare is a tax", then its | a tax. No if, and, or buts about it. It can be as | ridiculous or contrived an argument they want, its the | purview of the Supreme Court. They are the final say on | any of these legal matters. | | And unless "reason.com" (or any other libertarian source) | somehow manages to get the ear of the other Supreme Court | Justices to believe their argument, I think I can safely | ignore their article there. | | But they know that. I'm guessing they're just trying to | clickbait readers and make somewhat sketchy arguments for | more clicks + plant more articles that are aligned to | libertarian values (as is the point of reason.com). | [deleted] | SllX wrote: | 1. It was _falsely_ shouting fire in a crowded theater, | and it was not formative of the opinion itself (Schenck | vs United States) but rather an aside. | | 2. Schenck vs United States was largely overturned by | Brandenburg vs Ohio, but this aside was still non- | jurisprudential. | | 3. I am unfamiliar with Justice Alito's opinion on the | matter and you didn't cite it, so with no context I will | only temporarily defer to you for the purpose of saying | this: SCOTUS makes jurisprudence through the rulings and | opinions they hand down when they take a majority vote in | conference, draft opinions and sign on to them. One | Justice does not make jurisprudence over a statement | which itself was never jurisprudential. | | Reason wears their ideological stripes on their sleeves, | but this is still essentially a myth that doesn't die and | a fuller explanation of it isn't a matter of ideology. | | You still shouldn't falsely shout fire in a crowded | theater, as people will die. You also shouldn't pretend a | fire isn't there or part of the show either as people | will also die. Basically, if there's a fire in a theater | you're in, just be glad for modern building and fire | codes. | dragontamer wrote: | > 2. Schenck vs United States was largely overturned by | Brandenburg vs Ohio, but this aside was still non- | jurisprudential. | | This here is the evolving nature of the court that I want | to highlight most of all however. | | In 1919, the Supreme Court believed one thing. Later, in | 1969, half-a-century later, it believed another thing and | overturned the earlier ruling. | | As an organization, the Supreme Court tends to try to be | consistent. But its not always true, and certainly in | these days where we've had a dramatic change in the | makeup of the court + filled it with young justices, | we're going to see a big change in how the court writes | opinions in the years, and decades, to come. | | ----------- | | Laws are written. Constitutional Amendments are written. | A few years ago, the 4th Amendment protected a woman's | right to privacy and therefore Abortion. That's no longer | true today. Etc. etc. Just a modern quickie example about | how changing opinions can change our understanding of | long-standing laws (or Constitutional Amendments) from | the 1700s. | | Generally speaking, the Supreme Court is trying to do | what's right for our court system. To have laws | interpreted consistently over time, and across the | country. | ajross wrote: | > Such subpoenas are clandestine surveillance of citizens | by their state. The problem with such types of surveillance | in particular is the lack of accountability. | | I never know how to interpret statements like this. The | fourth amendment guarantees court oversight over search and | seizures. A court signs off on every subpoena issued | anywhere in the USA. Are you making this argument from the | perspective of "I didn't know courts were involved" or "I | don't view courts as sufficient oversight". | | If it's the latter... what's your alternative? Eliminate | gag orders (which is all this is) entirely? You realize | that there's a lot of stuff that happens in courts that we | all agree should not be public, both for privacy and law | enforcement reasons. Why get upset over this one particular | thing? | riazrizvi wrote: | The USA is a country of laws. It's possible that people | submitting packages are submitting illegal malware; | spyware, ransomware, software to steal crypto money, or run | illegal ticket-buying bots. Ethical oversight is baked into | the institutions through governance structures. | Institutions aren't perfect. Also there tend to be more | complaints in the media about a country's institutions than | in regions where there is not a free press. So the voices | complaining online don't necessarily correlate with where | the problems most lie. | [deleted] | Loquebantur wrote: | Describing the US as a country of laws is a little funny. | The mere existence of laws does not imply much. | | Your examples are even weirder. How would such | malfeasance justify clandestine observations? That is | clearly disproportional, thus unethical. | | Claiming governance structures were "baked into" | institutions is pure hopium. Democratic oversight means, | there must be transparency enabling you as a citizen to | detect and react to misconduct, at least by proxy. | | The "free press" isn't free to report and investigate | such subpoenas, obviously. | williamcotton wrote: | If law enforcement was never allowed to engage in | clandestine operations then it would hamper their ability | to build a case against and/or apprehend criminals. Case | in point, organized crime syndicates. | | This is why the majority of your fellow citizens disagree | with you and are fine with the current state of affairs. | yrnameer wrote: | > Ethical oversight is baked into the institutions | through governance structures. | | Kind of a shocking assumption to make. Over the past | several decades it has become increasingly apparent how | our governing structures have no inherent relationship | with ethics. | lazide wrote: | At least they get to subtly communicate they can't talk, | instead of being Jack Ma'd. | | The constitutional justification is the same one behind not | being allowed to yell 'fire' in a crowded theatre if there | is none, or not being able to go on TV and threaten the | Judge overseeing your case - 'the constitution is not a | suicide pact'. [https://en.wikipedia.org/wiki/The_Constitut | ion_is_not_a_suic...] | | As to if it is being abused? Guaranteed. Being prevented? | Not effectively. Only the occasional leak of the abuse and | corresponding consequences (if any) seem to be | counteracting it, and even then not well. | | Sunlight is the best disinfectant, and most of the national | security apparatus is solidly in the dark, and has been for | a long time. | mike_d wrote: | > How does the ethical use of this prolematic tool get | ascertained? Where and how is the democratic oversight | implemented? How is misuse treated and prevented? | | I can't speak specifically to this case, but in general | when asking a judge for the warrant they also provide | compelling evidence that harm would come from disclosure. | The judges weigh the rights of the targeted and other | parties that would be subject to a gag order against the | greater good. | | To answer your last two questions, all gag orders | eventually expire. It isn't a prohibition against the | impacted party speaking out, just a delay. They can go | directly to the judge or appeal to a higher court. | yunohn wrote: | > It isn't a prohibition against the impacted party | speaking out, just a delay. | | It's exactly this "it's totally fair, surely it's not | ridiculous" attitude that shows how the powers control | the people. | | Gag orders and secrecy agreements can definitely be | indefinite and regularly are. | | https://web.archive.org/web/20220809113138/https://cdt.or | g/i... | tru3_power wrote: | Is this related to that Microsoft disclosure? | whimsicalism wrote: | > as allowed by the lack of a non-disclosure order associated | with the subpoenas received in March and April 2023. | | Yeah no way they haven't had other subpoenas then. | junon wrote: | Good on the PyPi folks. This is an incredibly well done | disclosure, an example to be sure. | BrandoElFollito wrote: | I wonder why such organizations that hold critical data for the | community at large do not use an international canary system. | | Should one of the countries issue an order, the ones outside of | its jurisdiction can openly disclose the information. Say if the | US forces the US entity to not do something, the French one sees | it and can warn all users. | detaro wrote: | "I've been ordered not to tell the details, but I know you will | publish them, so I'm going to tell you the details" is not | going to be taken as "obeyed the order" by law enforcement or | courts. | BrandoElFollito wrote: | Sorry but I think I do not understand (English is not my | first language). Who would be in trouble? | | In case anything happens with the content of the service, the | detail of the changes would be made clear by someone outside | the jurisdiction. | | A typical example is TrueCrypt that, one day, changed their | page to say to use something else instead of their product. | | If the code was shared between several countries, the others | could simply publish that this and that was changes out of | band, and that it means that the code is now positively | unsafe. | sneak wrote: | > _" IP download logs of any Python Package Index (PyPI) packages | uploaded by..." given usernames_ | | This is way overbroad. The fact that a judge granted this is very | bad. | duskwuff wrote: | It's hard to say that it's "overbroad" without knowing the | details of the situation. | | It's not hard at all, on the other hand, to imagine situations | where this would be a reasonable request. Probably the most | obvious would be if the packages contained material which was | illegal to possess or distribute (like CSAM). Another would be | if the packages were being used as part of a malware C&C | operation -- knowing what IP addresses downloaded the packages | would aid in determining the scope of the campaign. | kjs3 wrote: | We get "please provide the logged IP addresses of user X" | subpoenas on a weekly if not daily basis. Which law school did | you go to so I can tell our corp counsel they've been doing it | wrong and stop asking? | robryk wrote: | Note that GP complains not about the request for IP addresses | of user X, but the request for IP addresses of anyone who | downloaded content uploaded by user X. | tw-0981230981 wrote: | You should re-read the quote. This was not a request for the | IP addresses of the users in question, but for the everyone | that downloaded any packages uploaded by those users. | throw_a_grenade wrote: | So just yesterday PyPI announced they're retiring cryptographic | signatures: https://news.ycombinator.com/item?id=36044543. | | It's hard to keep those things separated. I would very much like | the code submitted to PyPI be protected end-to-end by | cryptographic signatures, when PyPI has either no resources, or | no spine to stand up to a government. Any signatures, even PGP, | which should be in place until someone provides better mechanism. | dvt wrote: | Most likely caused by phishing, ransomware, or (unlikely) crypto | mining. I'd bet someone from some agency had credentials leaked | due to a malicious package. Honestly, PyPI is stuck between a | rock and a hard place, but having something like a "verified" | badge (where someone's real identity is tied to it) for certain | packages would go a long way to ensure some level of security. | | The problem gets a bit hairier when dealing with dependency | chains, however. | snapcaster wrote: | Really weird, anyone have some inside gossip on what this is | about? | paulpauper wrote: | maybe to do with web scrapping, auto-posting spam, etc. | | https://www.developer-tech.com/news/2023/may/22/pypi-suspend... | yuvadam wrote: | Subpoenas are from March and April, predating the spamming of | the past few weeks. | richbell wrote: | PyPI has had a pretty consistent spam problem for a while | now. | paulpauper wrote: | it likely shows that it was an ongoing problem | Retr0id wrote: | The most optimistic reason would be that they were | investigating a supply-chain attack, or something of that | nature. | bhouston wrote: | I wish it was that but those people would be smart enough to | not use their real name when signing up - those doing supply | chain attacks are often at least somewhat professional and | take precautions. | | I suspect it was more about going after software that was | enabling piracy, those are often created by naive students | who are not expecting the power of government to be unleashed | on them. | nibbleshifter wrote: | > those doing supply chain attacks are often at least | somewhat professional and take precautions. | | Not really. | | The vast majority of supply chain attacks in practice are | idiots exploiting namespacing, bitflips, or typos on | pypi/npm to drop miners or infostealers. | | Yes, even the shit tier supply chain attacks count :) | commandlinefan wrote: | This makes me wonder... it's entirely possible that the PyPI | people would be enthusiastic about helping to track down | offenders, and their users might agree, _if they knew what | the offense was_. Instead, they're presented with a typically | antagonistic demand for details, so they understandably get | defensive on behalf of their users. I wonder if there's not a | better, less heavy-handed way to get cooperation with law | enforcement when the request is reasonable. | Retr0id wrote: | Personally I would rather not set a precedent of handing | data over to government agencies just because they ask | nicely, even if it seems like it's for a mutually agreeable | good cause. That is, I would rather they go through these | "formal" channels, even if it seems a bit heavy-handed. | | Further, whatever they're investigating here is probably | "important", for some definition of important, so they | likely value the ability to lean on non-disclosure clauses | etc. | jamesmurdza wrote: | It could be related to the large number of malicious or booby- | trapped packages that have been uploaded recently to the index. | foota wrote: | My guess? A hacking case against someone for typosquatting or | malicious packages or something. | guhcampos wrote: | Could be anything I guess, even legitimate reasons. T Think of | the supply-chain attacks going on in the past few years. I'd | say investigating these would be a legitimate reason for a | subpoena. | [deleted] | jehb wrote: | Suggestion: Start slipping unique URLs into the "hidden" backend | fields of systems where you'd like to know if your data was | breached, improperly used, or handed over to a three letter | agency. | | Suddenly getting hits at mydomain.com/[uuid]? At least you know | somebody has looked at the data, or at the very least fed it | through some processing tool that is extracting and visiting the | URLs. | mmsc wrote: | This is called a canary and can be used in so many places: | https://blog.thinkst.com/2022/09/sensitive-command-token-so-... | austinjp wrote: | I'm pretty sure I've seen a SaaS that does this, but I can't | remember the name. | tailspin2019 wrote: | https://canarytokens.org | tgbugs wrote: | One theory that I don't see mentioned yet is that someone used an | upload to pypi to exfiltrate data or simply as a way to upload | arbitrary data somewhere. In a sense pypi is just a file hosting | service, so it could have nothing to do with any actual python | projects at all. | rocqua wrote: | Interesting approach to data exfil. Though it seems predictable | that exactly this kind of subpoena would be issued. If you can | predict it, you can probably mitigate it. | | Which means the subpoena would only be useful if the criminals | made an opsec mistake. That is generally how most sophisticated | criminals get caught, but here it feels like anyone inventive | enough to try will probably also be prudent enough not to leave | a trail. | Zetice wrote: | Dumb legal question; what's the difference, if any, between | "We've been subpoenaed" and "Someone had a warrant for data"? | paxys wrote: | Warrant = we (police or other authority) have the right to come | and search your property for evidence. | | Subpoena = the court compels _you_ to hand over the evidence we | need. | woodruffw wrote: | Subpoenas are orders, but they're not necessarily court- | issued. Warrants, on the other hand, _are_ court-issued -- | the police can 't issue warrants on their own in the US. | rocqua wrote: | A warrant for a things isn't an order to the owner of that | thing. It's an order to (and peemission for) officers to go | and seize the thing. | | You get shown the warrant to prove that they have | permission, not to order you to comply. | woodruffw wrote: | Yes, I'm aware -- my other comment says that. | | I realize this comment is a little ambiguous: the order | in the warrant case is an order by the court _to the | court 's officers_ to perform an arrest, seizure, etc. | It's not an order for you (the subject of the warrant) to | comply. | [deleted] | woodruffw wrote: | Not a dumb question: a subpoena is an order to provide | information or access, while a warrant is a court-issued | document authorizing the government (or an agent of the | government) to perform an act (e.g., an arrest, or seizure of | an item). | | Subpoenas can be issued by attorneys (including prosecuting | attorneys) as part of the investigative and discovery | processes. | indymike wrote: | Subpoena = "Ask firmly, but nicely" | | Warrant = "Back up the van and haul it away" | schoen wrote: | The subpoena is a command to the possessor of the data, which | tells the possessor of the data to produce it, with a | particular deadline. Since this deadline is in the future, the | subpoena can be challenged legally (normally by requesting a | court to "quash" it; more riskily, sometimes by complying | imperfectly or not at all, and then arguing in response to an | attempt to punish the noncompliance that this was reasonable). | A subpoena can be issued by many entities, for example | including some law enforcement entities themselves, or a lawyer | actively involved in litigation. (Yes, lawyers can personally | write and issue subpoenas.) The subpoena is, however, | _enforced_ by a court, in the sense that the court is asked to | punish people who fail to obey it. | | The warrant is a command to a law enforcement officer, which | allows the law enforcement officer to personally go and search | and seize things (or people), while overriding some rights that | would normally prevent this. Normally it is issued by a court. | Generally there is no way to challenge a warrant to prevent its | execution, because it is not disclosed to the target before | it's executed (i.e., a law enforcement officer shows up with | the warrant and begins executing it immediately, by force if | necessary). | | (Edit: I wrote above that it's risky to comply imperfectly with | a subpoena and then argue in court that this was reasonable, | but usually if _a lawyer gives a professional opinion_ that the | subpoena is invalid or overbroad for some reason, then the | recipient of the subpoena won 't be punished for following that | advice. The lawyer may also attempt to negotiate directly with | the issuer of the subpoena, for example by sending a letter | explaining why the the subpoena appears to be invalid. The | legal standards for issuance of subpoenas are also pretty | broad. For civil litigation, _which is not what DoJ is doing | here_ , they are set out in | https://www.law.cornell.edu/rules/frcp/rule_26; notably, they | can be issued to third parties.) | therein wrote: | Really nice response, I'm not the one who asked the question | but I learned something from your response. | zerealshadowban wrote: | They log too much data about their users. | | So they should promptly update their policies to a) stop logging | so much, b) delete all past logs, and c) sharply limit the span | of time until deletion of whatever logs they decide they really | need to track for internal needs. | | They should avoid logging, and rapidly rotate logs, to thwart | future subpoenas from the total surveillance state. | takeda wrote: | For the kind of service they are providing I think the logging | is appropriate. | | I mean if DOJ is interested in PyPI logs the only reason I | could think of, is if it was used as a supply chain vector into | breaking in into other organizations. | manicennui wrote: | Did you bother reading the post? | Jeff_Brown wrote: | I didn't get very far. (Not the OP.) What's the punchline -- | they will log less in future? They can't? They shoudln't? | einpoklum wrote: | Here is what I consider the key section: | | > The privacy of PyPI users is of utmost concern to PSF and the | PyPI Administrators, and we are committed to protecting user data | from disclosure whenever possible. In this case, however, PSF | determined with the advice of counsel that our only course of | action was to provide the requested data. I, as Director of | Infrastructure of the Python Software Foundation, fulfilled the | requests in consultation with PSF's counsel. | | The first part of this section contradicts all of the rest. If | user data privacy is of "utmost concern", then it is a concern | above fulfilling legal obligations under US law. Plus, such | supposed obligations must be staunchly fought before even | considering whether or not to observe them. So, in fact, user | data privacy is a minor concern for the Python Software | Foundation, while swift prostration towards the US federal state | is what's of utmost concern. | | Of course, they almost admit it themselves. If we carefully read | the second clause, they don't say "we're committed to protecting | user data from disclosure", but - the "we're committed... when | possible". So, they're saying that if they believe it isn't | possible to protect, they have _no_ commitment to try their | utmost to protect. i.e. when they see fit, user data protection | is _not_ a concern at all. ... ok, ok, it is a public relations | concern. | stjohnswarts wrote: | I don't have a problem with this as it was 5 particular users and | not "give us all the data for for all your users". They didn't | really have much of a choice. I don't think they would have had a | choice in any of the 5 eyes countries or their allies | gjmacd wrote: | I would point to Jim Jordan and all the other Republicans after | January 6th who didn't honor a subpoena and toss them in the | trash. Nobody in our government honors them, why should we in the | private sector? What's going to happen, they going to raid | offices and get a bunch of PC's and books? | ur-whale wrote: | > We will not be releasing the usernames involved publicly or to | the users themselves. | | Emphasis on the last part: or to the users themselves. | | In other words: unless they actually let the users involved in | spite of claiming the opposite, the whole article is complete | posturing. | burnished wrote: | What a weird take | ralmidani wrote: | Does a "subpoena" mean a judge was involved? The post says the | subpoena was issued by the DOJ. | tptacek wrote: | It means a court is involved, but not a judge. | | _Edit_ | | Even that is technically wrong; some DOJ subpoenas are | apparently preauthorized by statute. | idlewords wrote: | There's a pretty extensive list of administrative subpoena | authority here: | | https://www.justice.gov/archive/olp/rpt_to_congress.htm | | tl;dr: Everyone from the Appalachian Regional Commission on | down can subpoena you without a court being involved. And of | course Congress has inherent subpoena powers. | tptacek wrote: | Oh, this is so cool. Thank you! | | This is a step towards answering my noodly question earlier | in the thread: authorization for NDAs and "gag orders" in | subpoenas appears to be controlled by (varying) statutes. | etaioinshrdlu wrote: | Amazing how upset users here get over the very reasonable | response to very normal police work. | throwaway_13140 wrote: | Agreed - how else was the DOJ supposed to do their job? They | clearly need the data for an investigation. No need for PyPI to | give information about how current users can alter their | accounts to thwart future requests. | sneak wrote: | Normal police work doesn't go fishing for the IP addresses | (potentially millions of users) of everyone who downloaded a | package. | | > _" IP download logs of any Python Package Index (PyPI) | packages uploaded by..." given usernames_ | | Do you feel the same way if the cops are receiving the IPs of | everyone who downloaded yt-dlp? IP addresses and timestamps | resolve to physical locations and oftentimes street addresses. | ranger_danger wrote: | In the US at least, it has been ruled that an IP address is | not sufficient evidence to link activity to any particular | person. You could have been hacked for example. | buzzscale wrote: | That doesn't make any sense though. What benefit would DOJ | get from getting the IP address of everyone who downloaded | ytp-dlp? They aren't the enforcement arm of google's terms of | service, which is a civil matter. | | Even if they were, and the DOJ was going for a dragnet | operation to go after tools that could potentially infringe | terms of service of big corporations, they would go after | every tool and every fork. Not just 1 package. But again, | what court would allow such action and why? | | If I was in the DOJ and was investigating a malicious package | uploaded to PyPI, I would ask for the IP's of the downloaders | to see if the uploaders dun goofed and downloaded their | package shortly after uploading off VPN. Or to find out if | any major corporations were impacted by downloading the | malicious package and to inform them. | etaioinshrdlu wrote: | (Deleted comment as it was wrongly assuming bias) | ewdurbin wrote: | no. they wanted the downloads by randoms. we don't store | those with IPs | subarctic wrote: | I think you're reading it wrong too - it says "IP download | logs of any Python Package Index (PyPI) packages uploaded | by the given usernames". So that's anyone who downloaded | those packages, not just the specific users' download | activity. | Vervious wrote: | Yeah, I feel like this crowd sometimes forgets that the | department of justice exists first and foremost to keep us | safe. | | With PyPi hosting a ton of malicious packages and malware, | certainly I am not morally opposed. | winrid wrote: | Same with the dozen street cameras at every intersection in | China, right? Right? :) | unethical_ban wrote: | It's truly disheartening to see examples where someone | (presumably a real human) thinks that all law enforcement, | across all nations and times, and in all cases, are equal. | willdr wrote: | They are equal insofar as they exist for the same | purpose. | winrid wrote: | I didn't say equal, did I? | misterpigs wrote: | I love this level of transparency. | voynich wrote: | Yeah, whether necessary or not, it's still nice to have such a | level of detail in a transparency report. | tomjen3 wrote: | > We will not be releasing the usernames involved publicly or | to the users themselves. | | Which is the most important part. | tptacek wrote: | They're not allowed to release that. | | _Edit_ | | I read 'chaps as saying there was an NDA on the subpoena, but | apparently there wasn't, so this might just be flatly wrong. | remram wrote: | Even in the absence of NDA, are you allowed to? Counsel has | apparently advised them not to. Would it not carry the risk | of being complicit to a crime? | kevin_thibedeau wrote: | Disclosing facts is not a crime. | rocqua wrote: | Perhaps there is no NDA on the fact that subpoenas were | issued, but still an NDA on whom they were issued about? | Limiting The scope of such an NDA feels like a plausible | result of negotiations after a motion to squash the | subpoena. | AnotherGoodName wrote: | The NDA isn't the only reason you don't risk interference | in an ongoing investigation though so regardless the basic | point still stands. | throwaway_13140 wrote: | Do you still love it if it enables a terrorist or otherwise | very bad person to evade capture? | evandale wrote: | Not OP but yeah. I don't buy into the whole "to protect you | from bad people I need to erode your rights" argument. | | Never made sense to me. Terrorists and other very bad people | usually aren't in the business of following laws so I don't | know what crimes you'd prevent by weakening the rights of | everyone else. | M3L0NM4N wrote: | I mean, surveillance reduces crime. Wherever you fall on | the spectrum of surveillance/privacy, I can guarantee if | the government read everything everyone wrote/texted/read | and recorded their every move, there would be less crime. | menus wrote: | Great to know that. I'll let the parents of Uvalde know | how surveillance reduced crime on the 1 year anniversary | of the school shooting. | | Surveillance does not reduce crime, tending to people's | basics needs so that they don't need to commit crimes | reduces crimes. | Danjoe4 wrote: | Yes. Truth itself stands at the top of the moral hierarchy. | It can stand alone without any justification. "You told the | truth" will never be immoral, consequences be damned. | Aachen wrote: | Climate activism is also being considered an act of terrorism | by some now (particularly some Christian party in Germany), | dunno if those people label themselves as 'very bad persons'. | Probably goes for all terrorists, but this might be easier to | relate to as it's grounded in reality and we'd likely agree | with the change they seek | | Child porn and terrorism are the favorite subjects of | politicians looking to enact a new law but idk if it's good | to follow that thinking and use it as an example as opposed | to a serial killer or something | SV_BubbleTime wrote: | Sure. But I would love if they had considered this from the | start: | | >As a result we are currently developing new data retention and | disclosure policies. | | "I guess we don't actually need that" should have been the idea | from the start. | thih9 wrote: | After a quick glance at the information listed in the report | I didn't notice excessive data collection on pypi's part. | | I'd say they followed "I guess we don't actually need that" | approach reasonably well so far and good for them if they | want to improve that even more. | itake wrote: | I can't tell if this is sarcastic. | | While they are transparent the events happened, they are not | transparent about which packages and what authors are being | flagged, which is unfortunate. | thih9 wrote: | Is it possible that they can't publish that? Perhaps even not | allowed to say that they can't publish that? | einpoklum wrote: | > While they are transparent the events happened | | Considering they are admitting they will always obey | government commands, including regarding non-disclosure of | actions to affected users, it is prudent to assume they are, | in fact, not transparent about events; only about those | events which the government has let them tell you about. | Other events (e.g. National Security Letters) may or may not | have occurred. | b33j0r wrote: | Why don't nerds get the same rights? | | According to US news over the past 3-4 years, you can just ignore | subpoenas, then get a contributor job on a cable news network. | Bonus points, the more you flout the law as arrogantly as | possible ;p | jacquesm wrote: | > We will not be releasing the usernames involved publicly or to | the users themselves. | | Why not to the users themselves? Have they been prohibited from | doing so? (TFA does not say afaict) | ruffrey wrote: | Often subpoenas are part of an ongoing investigation, and they | require not releasing information to those who's data was | subpoenaed. | tptacek wrote: | The subpoena probably includes a nondisclosure clause; a court | order certainly would. The mechanics of nondisclosures on | subpoenas is interesting and I don't totally understand it (by | definition, a subpoena is a document authorized by someone | other than a judge). | jacquesm wrote: | So is this message a way to obliquely signal to those users | (whoever they are) that they may be under investigation | without actual disclosure? | can16358p wrote: | That might get PyPI into trouble especially with a gag | order which we can assume that they are forced to obey and | forced not to talk about. | | PyPI would pretty much want to inform the users, but they | probably simply can't (without getting into legal trouble). | tptacek wrote: | I doubt it. Most of these investigations (really: most | federal computer-related investigations) are super boring, | and are about things ordinary people wouldn't object to | seeing investigated. | | We're a message board and we're thus optimized for drama | over truth-seeking (it's just human nature). The truth of | these kinds of events is usually not all that interesting. | If it's something more dramatic, we'll hear more about it | in the future. In, like, a sort of Bayesian sense, you can | predict that any given subpoena or court order is going to | be about a case nobody would bother sending warning signals | about. | bredren wrote: | > Most of these investigations (really: most federal | computer-related investigations) are super boring, and | are about things ordinary people wouldn't object to | seeing investigated. | | This is true. The result may be so boring local news | wouldn't even cover it. In some cases you have to find | the investigating agency's unremarkable press release and | then dig for related court documents to even find out | what happened. | chaps wrote: | There was no NDA: "We have waited for the | string of subpoenas to subside, though we were committed from | the beginning to write and publish this post as a matter of | transparency, and as allowed by the lack of a non-disclosure | order associated with the subpoenas received in March and | April 2023." | steve1977 wrote: | ... for the suppoenas received in March and April 2023 | chaps wrote: | Yeah, that was notably strange language for sure. | tptacek wrote: | Interesting! (I initially read this backwards and thought | you were saying they did have an NDA). | [deleted] | jsjohnst wrote: | > by definition, a subpoena is a document authorized by | someone other than a judge | | Uhm, am I misunderstanding what you wrote, because that is | definitely not true. Subpoenas require an officer of the | court by definition (in the US anyway), which can be a judge, | a court clerk, or even lawyers in some jurisdictions. | tptacek wrote: | Can a court clerk or a lawyer unilaterally create a | nondisclosure requirement? It is not generally that case | that a lawyer, absent a judge, can send you a document | you're not allowed to disclose (though certainly lots of | C&D's try to suggest otherwise). | | I'm sure the NDA stuff here is ironclad! I'm just curious | what the mechanism is. | jsjohnst wrote: | > Can a court clerk or a lawyer unilaterally create a | nondisclosure requirement? | | If they are acting as an officer of the court, which | they'd need to be to sign off on a subpoena, I believe | the answer is yes. The mechanism is called a "gag order". | tptacek wrote: | For subpoenas authorized under the Stored Communications | Act, there's statutory authorization for DOJ to request | time-limited NDAs, which makes me wonder if there needs | to be explicit authorization for other kinds of | subpoenas. This is the kind of noodling I'm doing here; | I'm not trying to message-board my way to a first- | principles argument that the NDA was bogus. :) | lazide wrote: | It's very common for a subpeona related to an ongoing | investigation to include a gag order. For instance, if | someone is investigating someone for a crime, and | requests that users search history, the last thing they | want is for Google et al to alert the user that this | happened, as they may not be ready to arrest them yet and | the target would flee. | | Same with wiretapping orders, or frankly a subpeona for | pretty much anything from a third party. | jacquesm wrote: | I don't follow you, which NDA? | vdqtp3 wrote: | > Subpoenas require an officer of the court | | That's not entirely true. | | https://en.wikipedia.org/wiki/Administrative_subpoena | | Local organizations have come up with equivalents, although | there is less (no?) statutory support for that. | toast0 wrote: | The users themselves already know their own usernames, | presumably. They could let the users know they were subpoenaed | without letting them know their username. :P | shadowgovt wrote: | That, or they have reason to believe the investigation is | legitimate and they would prefer not to hinder it. | jacquesm wrote: | They say very explicitly that they do not know what it was | about. | shadowgovt wrote: | There's a wide gulf between concrete knowledge and belief. | | I see an ambulance going lights-and-sirens behind me. I | don't _know_ they 're on their way to or from a hospital, | but I pull over because I have reason to believe they are. | junon wrote: | Weird analogy. An ambulance has a very narrow scope of | responsibility. Legal processes have a very wide scope. | Clearly this is related to a legal matter and not an | immediate medical matter. But the nature of the legal | matter could be a _very_ wide variety of things, ranging | from lower court civil proceedings up to treason, etc. | CodesInChaos wrote: | They only wrote that they weren't told what it was about. | However it might be obvious from the packages uploaded by | those users (e.g. if they uploaded malware). | weaksauce wrote: | they have five usernames... that can narrow down what | projects they were associated with pretty quickly to infer | if there was something nefarious about them. though it | could be entirely unrelated to their activity on pypi and | be a trawl for leads based on username similarity from some | other messageboard or activity that was used for | illegality. though, thinking about it more, that seems | legally dubious a reason to be able to get a subpoena | issued for. ianal | avgcorrection wrote: | > The privacy of PyPI users is of utmost concern to PSF and the | PyPI Administrators, and we are committed to protecting user data | from disclosure whenever possible. | | Don't lead with this. | | > In this case, however, PSF determined with the advice of | counsel that our only course of action was to provide the | requested data. | | If you're going to say this. | | I'm not judging their decision. Maybe not going to prison is a | greater concern to them. It's fine to just say that you thought | it was best to comply because [lawyer reasons that you don't have | to disclose to anyone]/ _counsel_. | | EDIT: Or say "there are bad people out there and we trust the | DOJ". Whatever. | tptacek wrote: | Lighten up. Nobody's going to federal court to stop the DOJ | from investigating botnets, carding rings, and ransomware | scams, which is what these things are usually about. Nobody's | mental model of PyPI was that they had Signal's priorities. | mrguyorama wrote: | Then they shouldn't say protecting their users are their top | priority, because they have shown it is not. That's called | lying. A correct statement would have been "we will comply | with lawful LEO requests" | junon wrote: | How have they shown it's not, exactly? Really curious what | you think they could have done better aside from blatantly | going against laws in their jurisdiction. | adamckay wrote: | There's a difference between abiding by lawful court orders | that have gone through judicial process and a friend in a | police department calling in a favour. | x0x0 wrote: | Helping convict scammers, typo-squatters injecting | malicious code, etc _is_ protecting their users. Just not | the (likely) bad actors that are the subject of the | subpoenas. | hgsgm wrote: | The fact remains, that unless you are willing to break | the law, obeying the law is your top priority. | junon wrote: | If you're so inclined, you're welcome to make an anarcho- | oriented package management system yourself. PyPi has | never claimed to be one, though. | [deleted] | avgcorrection wrote: | Then all the less reason to roll out the "of utmost | importance" boilerplate. So what's your point? | | Also I don't see how being light-hearted has anything to do | with this submission, Thomas. | davidguetta wrote: | Its just they have no choice. And when they do the choose | their "utmost priority". Its not that complicated | paulgb wrote: | It's a completely reasonable reading of their message to assume | that the "possible" in "whenever possible" roughly means | "legal". I don't think any reasonable reading of it means to | imply that they are willing to violate federal law. | HelloNurse wrote: | sudo give us user data | avgcorrection wrote: | Fair point. | Mystery-Machine wrote: | Oke way to protect user data is to NOT ask/collect data in | the first place. What's the need of person's full name and | address for? Maybe I'm missing the point, but I see zero | reasons to have this data in the first place. | [deleted] | dubbel wrote: | You are probably reading what data the DoJ requested. | Further down in the blogpost (in the "Details" section) | they state that they don't have a lot of the data | requested and exactly what kind of data they could and | did provide. Addresses are not requested by PyPI. | junon wrote: | And they state very clearly they don't have this | information. In fact, PyPi seems to retain a very | reasonable set of information, strictly related to the | service itself. I found this disclosure to be entirely | refreshing. | masto wrote: | If you read the whole thing, it's pretty clear they don't | have the person's full name and address, and thus did not | provide it. They do mention that it will be needed for | organizations that sign up for billing when that feature | becomes available. | | Other than possibly IP addresses, it seems like the only | information they had available to disclose was close to | the bare minimum needed to operate the service. | avgcorrection wrote: | That's the best principle to follow. Agreed. | duxup wrote: | I don't see anything conflicting in what they said. | | They can feel that way, and comply. | avgcorrection wrote: | Yeah. I was probably being a little too boilerplate (what | looked like) -intolerant. ;) | rektide wrote: | It'd be lovely to see better patterns emerge to aggregate and/or | anonymize data. | | Great respect for the response. Reevaluating data retention is a | great move. | jupp0r wrote: | "9. IP download logs of any Python Package Index (PyPI) packages | uploaded by the given usernames" | | This was the point where I was wondering if this is really about | some malicious packages or something more along the lines of | copyright infringement software. | femto113 wrote: | This definitely seems like a significant element of the ask, | but for any popular package a list of all the downloaders would | be pretty overwhelming in size (and I think of very limited | utility). I'm guessing that some versions of some more obscure | package(s) were identified as being used in an attack and | they're either trying to identify potential attackers or other | victims (or both) of that attack. | | From a 2021 article[1] about packages used to deliver malware | "we have alerted PyPI about the existence of the malicious | packages which promptly removed them. Based on data from | pepy.tech, we estimate the malicious packages were downloaded | about 30,000 times." | | For comparison yt-dlp has tens of millions of total downloads | and gets downloaded over 70,000 times every day [2] | | [1] https://jfrog.com/blog/malicious-pypi-packages-stealing- | cred... | | [2] https://pepy.tech/project/yt-dlp | NelsonMinar wrote: | Total speculation on my part but PyPI hosts yt-dlp, the | unauthorized video downloader. https://pypi.org/project/yt-dlp/ | WhyNotHugo wrote: | Unlikely, due to: | | > "Records of all Python Package Index (PyPI) packages uploaded | by..." given usernames | | > "IP download logs of any Python Package Index (PyPI) packages | uploaded by..." given usernames | | I don't think they'd want a list of packages uploaded by a | given user if they were after yt-dlp devs. They'd be asking for | a list of maintainers of a given package. | phkahler wrote: | Thanks, I was wondering what it might be about. That makes some | sense. | schleck8 wrote: | No it doesn't. Noone at the government level gives a shit | about a youtube downloader package, typosquatting would be | way more likely. Pypi is riddled with malware AFAIK, they | don't really moderate it. | ed25519FUUU wrote: | If yt-dlp was illegal the first thing they'd do is a takedown | request, not a subpoena but leave it online. | [deleted] | vore wrote: | I would think the government has bigger fish to fry than to | spend time subpoenaing yt-dlp. | Sparkyte wrote: | I wouldn't be surprised if it was more of AI based | impersonation stuff. AI in the government is big because | people can use it impersonate people as a form of identity | fraud. | [deleted] | dual_dingo wrote: | Not a US cititzen, but "The government" is a wide term and | any law enforcement agency would fit this, including the ones | that are responsible to deal with things like copyright | enforcement - that's exactly the type of fish they exist to | fry ... | vore wrote: | Given the discussion around how lacking PyPI supply chain | security is, how juicy of a target it is for attackers, and | how critical infrastructure is probably relying on PyPI, | yt-dlp is the last thing on my mind. | ChuckMcM wrote: | FYI for non US readers ... | | In the US, subpoenas come from the Justice Department | (either state or federal depending on the crime for which | evidence is being sought). The court that issued the | subpoena is on it, and the person or entity being served, | has the right to see _why_ some government agency felt it | could aid in the uncovering of a crime that had _already_ | been committed. The person or entity then has the | opportunity to challenge that in court prior to complying | with it. This is sometimes informally called "quashing the | subpoena." From my sister-in-law who is a defense attorney, | the most common result of challenging a subpoena is to get | what it asks for narrowed down to just what is plausibly | responsive. | | In the article, this response: _As a result we are | currently developing new data retention and disclosure | policies. These policies will relate to our procedures for | future government data requests, how and for what duration | we store personally identifiable information such as user | access records, and policies that make these explicit for | our users and community._ Is good practice for limiting | what a subpoena can request (you can 't give what you don't | have). | | At Blekko we logged access records in such a way that we | could use PII for 48 hours and then it was deleted. The | CTO, Greg Lindahl, is a huge privacy advocate and this sort | of architecture made it possible to get information to | improve our ranking and service without compromising | people's privacy. In practice I don't think any agency | could go from "we have a suspect" to "issue a subpoena" in | 48 hrs so it was a useful way for us to stay out of the | crosshairs. The most interesting event was the FBI asking | for information on IP addresses that had accessed their | honeypot CSAM site. That turned out to be some of the | machines in the crawling cluster. Given that the site was | outside the crawl "horizon" and didn't rank (very few sites | linked to it) it didn't even make it into the cache for | rank analysis. But in that case the turn around time was | impressive. Of course that is because they were just using | their own logs to generate subpoena requests. | throwaway09223 wrote: | Google is a pretty big fish themselves. | | What usually happens is the large corporation lays out a case | like "yt-dlp is responsible for billions in damages" and they | press the DOJ to investigate and prosecute. | sp332 wrote: | While copyright infringement is usually a civil matter, there | are times the DoJ gets involved. They even got a guy | sentenced to jail for it in 2018. | https://www.justice.gov/usao-ndga/pr/owner-sharebeastcom- | sen... | sam0x17 wrote: | One would think that yes.... but this is the U.S. :/ | lazide wrote: | The FBI has it's own 'copyright enforcement' division who has | as their sole job enforcing copyright, and has it's own | dedicated funding | | [https://archives.fbi.gov/archives/news/testimony/intellectua | ...] | RobotToaster wrote: | Isn't copyright infringement a tort not a crime? Why is the | FBI involved at all? | qingcharles wrote: | Depends on the level of infringement generally. | lazide wrote: | [https://www.justice.gov/archives/jm/criminal-resource- | manual...] | | There is an applicable federal criminal law. | slenk wrote: | yt-dlp is everywhere - why would they go after pypi and not the | source at https://github.com/yt-dlp/yt-dlp | CarbonCycles wrote: | What an odd article and release statement. It's almost as if | they're signaling w-out literally signaling the parties of | interest. | | Surprised the doj didn't issue any gag orders. | rossdavidh wrote: | One gets the impression that this was an artfully crafted way | around the specifics of the gag order, to disclose whatever | wasn't specifically prohibited by it. IANAL. | throwaway_13140 wrote: | Exactly. I guess the transparency is nice but at what point are | you potentially helping someone cover their tracks who may or | may not actually deserve that help? | rolph wrote: | [In March and April 2023, the Python Software Foundation (PSF) | received three (3) subpoenas for PyPI user data. All three | subpoenas were issued by the United States Department of Justice. | The PSF was not provided with context on the legal circumstances | surrounding these subpoenas. In total, user data related to five | (5) PyPI usernames were requested.] | | either a small group of users, or one user with multi aliases | wrote a nastyapp ? | cubefox wrote: | Apparently no plans to set up a canary. | jrockway wrote: | Is there any precedent for people not facing legal consequences | for failing to update the canary? The subpoena probably says | "and also update your warrant canary to say there were no legal | requests." Now you're in contempt of court and in jail for 5 | years while you wait for your "compelled speech" case to go to | the Supreme Court. | | In general, I think it usually goes poorly when programmers | invent clever legal workarounds. The legal system isn't a | computer program. It's guys with guns. | JohnFen wrote: | > The subpoena probably says "and also update your warrant | canary to say there were no legal requests." | | I think that would be outside what can be done with a | subpoena. It would require a court order. | buildbot wrote: | Isn't the idea that the (US) government can't (technically) | compel you to lie? | tptacek wrote: | The US compels certain kinds of speech all the time. | dwheeler wrote: | The US government is not compelling speech, it's | compelling PyPI to accurately reveal to the US government | the contents of past speech that PyPI has access to. | Compelling disclosure of certain kinds of data, when it's | known, is a normal part of legal actions in the US and | probably elsewhere. | mrguyorama wrote: | You can beat the wrap but not the arrest. | waselighis wrote: | I would think there are certain situations where a person | might be compelled to lie, such as if you have a security | clearance, have signed an NDA, or are acting as an | informant. That is, a person may have to lie to prevent | divulging classified or secret information through | implication. | | EDIT: One situation where the government cannot compel you | to lie is if it violates your fifth amendment rights (self | incrimination). | sigstoat wrote: | those are all things you actively agreed to, in advance, | in exchange for some sort of consideration (job, not | going to jail for illegal things you've already done, | etc) | rossdavidh wrote: | I have never heard any legally competent source say that | the U.S. government cannot (with warrant or whatever) | compel you to lie. I'm pretty sure that, in the case of a | canary, they can. | User23 wrote: | The process is the punishment. | linsomniac wrote: | "Just because you're right doesn't mean you won't go | bankrupt in a court of law proving it." | dennis_jeeves1 wrote: | That's real world wisdom... | short_sells_poo wrote: | That may be the case but if the cost of testing it is 5 | years in jail while the case works it's way through the | courts, few people will be willing to rely on it. | EatingWithForks wrote: | The better question is: are you (or PyPI in this case) | interested in a legal tussle with the US Gov? | bitxbitxbitcoin wrote: | Exactly. Warrant canaries are security theatre. | actionfromafar wrote: | Not always, if the entity has a stance to uphold and the | money to fight back, it doesn't have to be. | | If a mom-and-pop shop or open source org, it's a faint hope | at best. | burnished wrote: | Can a subpoena stipulate that? | redox99 wrote: | Can you provide any evidence of the US forcing someone to | update their canary? | snapcaster wrote: | How would one even observe this evidence? | metiscus wrote: | The only way I can think of would be that after the case | has ended it may be possible for a party who had been | directed to update a canary under a court order to notify | people that they had done that. It would probably depend | on the court etc and I am not a lawyer. | woodruffw wrote: | I don't understand (genuinely, I'd like to!) what a warrant | canary would have done here: this was a subpoena, not a | warrant, and PyPI is a public package index. | cubefox wrote: | I'm obviously talking about a subpoena canary. | Zetice wrote: | If you can just say, "We got subpoenaed" in a blog post, isn't | that even more effective than a canary would be? | cubefox wrote: | There was a delay. | caturopath wrote: | Canaries would be for times when they couldn't legally say | that. | waselighis wrote: | Long ago, Apple included a warrant canary in their transparency | report. One day, it disappeared. Nothing came of it. | | https://www.theverge.com/2014/9/18/6409575/apple-warrant-can... | | The problem with a warrant canary is there's too much doubt | about why it disappeared. Did they actually receive a warrant, | or is it just a decision from corporate to discontinue the | practice? | cubefox wrote: | There can be some doubt, but too much? | actionfromafar wrote: | A decision from corporate to discontinue is also a signal. | DANmode wrote: | > why it disappeared | | The result is the same. | tptacek wrote: | Canaries probably don't work, which makes them worse than | theater. | skullone wrote: | Why would they? It's a public repository, nothing confidential | or private | JohnFen wrote: | Account details are confidential and private. | __MatrixMan__ wrote: | Kudos to PyPI for handling this professionally. | | That said, I think we should be working towards a world where | they're unnecessary. As a middle party to what ought to be a | developer/developer trust relationship, they're attack surface | that threatens depender sometimes and dependee other times. | | Going peer-to-peer will be less convenient, but worth the | investment in the long run. | ChrisMarshallNY wrote: | That's an excellent transparency report. | [deleted] | LordShredda wrote: | I'm guessing some poor typosquatter managed to hit a gov agency | and is about to get alphabet soup all over him. | paulddraper wrote: | > poor typosquatter | | :/ | fmajid wrote: | More likely it is DRM-cracking packages. | eur0pa wrote: | That or fairly unlucky bug bounty hunters | [deleted] | nonrepeating wrote: | "Get alphabet soup all over him" | | This is my new favorite alternative to "vanned" (or "v&") | tenpies wrote: | > "vanned" (or "v&") | | Also note that the noun associated with being "vanned" would | be a "party van", not just a "van". | | To be vanned/V& is to have the glowies inside the party van | take the vanned party away. | | https://knowyourmeme.com/memes/4chan-party-van | the_jesus_villa wrote: | lots of nostalgia for partyvan.org during the chanology | days | flyinghamster wrote: | I think I'm gonna snarf that one too. It's just too good. | techbro92 wrote: | Think I'm gonna snarf snarf. Actually I just looked it up | and apparently that word means to eat or drink greedily. | Not sure why you used it here | GrinningFool wrote: | Also, https://en.wikipedia.org/wiki/Snarf_(ThunderCats) | codetrotter wrote: | https://youtu.be/ikiuMXuueL4 | nonethewiser wrote: | Well you certainly snarfed it up | pjbeam wrote: | As in eagerly consume into poster's lexicon I think. | lagniappe wrote: | it means copy http://acme.cat-v.org/readme | MisterTea wrote: | All of plan 9 uses "snarf" in place of "copy". | techbro92 wrote: | Wow, that's insane | labster wrote: | Do they follow the Berne Convention on Snarfright? | valleyer wrote: | http://www.catb.org/jargon/html/S/snarf.html | [deleted] ___________________________________________________________________ (page generated 2023-05-24 23:00 UTC)