Schneier on Security
A blog covering security and security technology.
« Poached Eggs |
| Secret Information Is More Trusted »
July 25, 2013
Details on NSA/FBI Eavesdropping
We're starting to see Internet companies talk about the mechanics of how the US government spies on their users. Here, a Utah ISP owner describes his experiences with NSA eavesdropping:
We had to facilitate them to set up a duplicate port to tap in to monitor that customer's traffic. It was a 2U (two-unit) PC that we ran a mirrored ethernet port to.
[What we ended up with was] a little box in our systems room that was capturing all the traffic to this customer. Everything they were sending and receiving.
Declan McCullagh explains how the NSA coerces companies to cooperate with its surveillance efforts. Basically, they want to avoid what happened with the Utah ISP.
Some Internet companies have reluctantly agreed to work with the government to conduct legally authorized surveillance on the theory that negotiations are less objectionable than the alternative -- federal agents showing up unannounced with a court order to install their own surveillance device on a sensitive internal network. Those devices, the companies fear, could disrupt operations, introduce security vulnerabilities, or intercept more than is legally permitted.
"Nobody wants it on-premises," said a representative of a large Internet company who has negotiated surveillance requests with government officials. "Nobody wants a box in their network...[Companies often] find ways to give tools to minimize disclosures, to protect users, to keep the government off the premises, and to come to some reasonable compromise on the capabilities."
Precedents were established a decade or so ago when the government obtained legal orders compelling companies to install custom eavesdropping hardware on their networks.
And Brewster Kahle of the Internet Archive explains how he successfully fought a National Security Letter.
Posted on July 25, 2013 at 12:27 PM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm wondering how much compliance with the NSA costs, and how much of that is passed to the end user.
"...could disrupt operations..." you say?
Yes yes, we know your internet service is down. We're terribly sorry, and we're trying to figure out how to fix things right now.
You see, this morning a bunch of armed men in black from the government showed up, flashed some paperwork, walked straight into our server room and started pluging in a bunch of stuff they brought. Said it was for national security or something, but they won't explain why.
We're trying to fix this mess... but... I don't know. We're still just trying to figure out how much they unplugged! It's going to take days - maybe weeks - before we get things back to anything close to "normal", and it's all the fault of these idiot feds!
Let them come. Is this really the PR hit the NSA et al. wants, given how they have tried everything to keep people from talking about their actions? Large attention-grabbing disruptions with an obvious trail back to "the feds" is the last thing they want.
@pdkl95: They're given gag orders along with the order to hand over/give access to the data. It's already damaging the trust with the larger providers, this extends the damage to smaller providers as well. Essentially all of this is just short of wholesale destruction of social trust in progress.
@John Moore: all of it is passed to end-users. It's only good to know that US TLAs buy their data-stealing stuff out of their own pockets and install it themselves - even if their pockets are actually filled by the citizens, they have more-or-less limited budgets for that.
In Poland, for that matter, telecom businesses are legally obliged to present a well-specified interface to the TLAs to allow them to request customer information (personal and contractual data), request connection metadata and establish/cancel real-time or off-line (store and retrieve later) wiretaps for specific subscribers (identified by name or subscriber number etc.) or equipment (identified by some technical id like address or equipment ID - in case of unknown subscriber, for example pre-paid phones) and for specific type of data (like metadata only, all voice traffic, all IP traffic etc.). They are required to archive metadata for 1 year (shortened recently, it was 2 years before). The law requires that the interception system is able to tap a specific fraction of all traffic going through. Wiretap requests in theory shall be backed by a court order (customer data and metadata are not protected), but in some prescribed cases agencies can wiretap first and seek the order later (in 7 days) - if they don't get the order they shall destroy the data (but there are no effective checks if the data is actually destroyed). In practice, wiretap applications are extremely rarely challenged by the courts.
Additionally, companies larger than certain size measured in subscriber count are required to maintain secure rooms for processing wiretap requests and keep so-many people with appropriate clearances on hire or contract, to be able to respond to requests in "secure" way. There was a proposal of a law I have read once, which was strongly opposed by the industry then (I am not sure if it came into law or not or was amended during the process) that prescribed one security-cleared employee/contractor for every so many network endpoints or assigned (not: actually used) protocol addresses. It shows the level of incompetency of the lawmakers - in the IPv6 era all Earth's population would not suffice to police the network of a small and rather unimportant country.
All of this is on companies' expense - or their subscribers really.
Obligatory reporting reveals that in 2010 there where 1,8M requests for information sent by all agencies to telcos for some subscriber information (for a 38M nation), but officials try to downplay that number by saying that one case may require tens or even hundreds of requests for different information to many providers, like, for example, since subscribers may move to another provider while keeping their phone number, authorities have to make many requests for a single number etc.
After the telecommunications carrier Quest refused to go along with Bush's illegal wiretapping, the company was denied a large government contract, the CEO was charged with insider trading, and the company eventually had to sell itself off.
It was the only telecommunications carrier that refused to go along.
I believe that many of the problems we are presently facing are solved by clearing defining, and re-strengthening, the property rights of the average Joe.
In addition to counting horses and cows and houses as a person's property, we should also be counting email and digital files and cell phone metadata as personal property, as well.
But for some reason we have forgotten that these things are our property, and we have rights to ownership over them.
Bruce - I watched the talk you gave at Google and thought it was brilliant. Your metaphor of feudal security is highly workable. And I believe that your metaphor is also consistent with history with respect to property rights - as soon as a feudal subject's right to own property was officially recognized, the feudal system was over.
Am I right about that?
It's not about privacy - it's about property.
I believe that this is the legal path out of this mess.
Great blog. Thanks for your work. Your ideas have become more important than ever.
@pdkl95: The custom black box was probably installed pursuant to a National Security Letter that supersedes the First Amendment along with the Fourth. Were the ISP to send its customers the announcement you described, they would be subject to whatever penalties apply to disobeying the gag order (and they're probably very harsh).
It's critical to National Security that the enemy (i.e., the American public) be kept ignorant of what the NSA are doing. The War on Terror cannot be won unless it's fought in secret.
I've long wondered what would happen if ISPs that aren't handing over information simply stated that fact periodically. Once an order is placed from the government you simple no longer state that fact. Can't ensure that they're being honest, but would stopping the periodic announcement incur the penalties...or are you required to actively lie to your customer base after that point...
Allen Stanfield "defining, and re-strengthening, the property rights of the average Joe.... is the legal path out of this mess."
Government agencies, health providers, Internet companies, and the emerging horde of big data vampires have somehow engineered ambiguity into the law such that private property (your bits, your data, etc) can be freely stolen for purposes other than intended by the creator and owner, which is us.
It's a free ride - wanton thievery - that's actually getting more and more brazen every year, not less. And it's got to be stopped.
@Kyle Wilson: someone is doing this already.
I remember reading some niche hosting provider terms (being pointed to them by some news article) saying that they had not received an NSL yet as of stated date and time. The page was being updated regularly with a new date and time and cryptographically signed. They promised to just 'forget' the signing key once they receive an NSL. Or something like that - I just can't remember the details now.
IANAL, but I think gag order means you can't say something under penalty. It doesn't mean you have to say something else.
Anyone else catch that last line?
Interviewer: "Do you encrypt all your own e-mail, as a result of this stuff?"
Kahle: "No, that’s really hard."
I think a new project is necessary to solve this old problem. We have the tech. We just need it put together properly. I'd say the team should be a combination of old cypherpunks (wisdom), people experienced w/ secure email issues in businesses (solid requirements), and young hackers (for the heavy lifting). Cross-platform, type-safe and modular code would be pluses.
If it's clean slate, I'd also advise making the baseline EAL5 equivalent assurance b/c it raises the bar for security, while also allowing decent tradeoffs. Focus on where it counts the most and so on. An EAL5 secure email tool should be so easy to do (for smart developers) that I'm surprised someone hasn't built one already. Oh yeah, lack of demand again. ;)
Agree w/ all the comments.
jones's shows just how weak these modern companies can be to the FEDs. Fight these psychos! They will turn you psycho! They can own me in a million ways that I cannot possibly fight by myself (as Aaron Swartz found out). I won't kill myself so if my death is ruled a suicide it was a murder.
The more I read about the Internet Archive, the more I like. Granted, it should be made clear to anyone before internet use that it could be archived somewhere forever, so the potential privacy violations don't outweigh history preservation. Helpful in my research, telling the FEDs to suck it (What was the order even for? Will we even know what they thought was a threat?), quirky little organization making knowledge open and free (a library should offer free internet) yet also allowing people to keep their private sites from being crawled (I'd have to look a little deeper to be sure this is really happening). It's how I envision civil society and human progress; and it's how we advance, so long as people still want to learn.
--Yeah I caught that line and was like, wtf? That the article mentioned that and the EFF was why I thought Bruce included it. Put it together then and make a business if its so easy (if it can prevent many other endpoint issues as well); there will be demand for sure.
It seems my little narrative is distracting from my main point. You can't keep a disruption in services secret! The details said by the (possibly under gag-order) business aren't really the point, which is simply that strong-arming tactics like that are likely to cause disruptions, and disruptions are noticed, especially when they become more frequent.
While one business or single incident might be contained (temporarily) with things like a gag-order, it is not sustainable. A "secret order" isn't really a "secret" anymore if you use on everybody.
Now, this suffers from the traditional problem associated with most forms of group-power - whomever gets hit first might end up having to take one for the team, before the group-effect has fully established. Of course, the flip side to this is that (seeing as we're having this conversation right now as a nation) the "compliance" option probably wasn't a sustainable way to maintain their secrets either, so it may not matter in the long-run.
The problem of "gaging orders" pops up yet again and for those with an indepth interest have a look at the academic and legal theory arguments that came up around the UK Regulation of Investigatory Powers Act (RIPA).
For those with a more philosophical interest consider this,
1, A lie can be by making a statment or not making a statment.
The latter is usualy refered to as "A lie of ommision" and appears in "honour codes" more than it does in law where it's usually covered by "witholding evidence" laws.
2, In our formal reasoning we have a binary state something (statment/formula/etc) is either "considered true" or it is "considered false".
That is we don't usualy have "shades of grey" in formal reasoning even though we know and except "not proven", paradoxies and that the world is multivalent. This is because unlike the real world we exclude such things prior to applying formal reasoning to enable us to reason consistantly.
3, Part of "the rules of the game" is that the rules apply equally if we are trying to prove true or false and thus are independent of the values or outcome.
The consiquence of this can be applied to statement one above in that the truth can likewise be told by making or not making a statment.
Legal gagging orders recognise this thus you would be found guilty of a breach if you made a statment or did not make a statment that could be used by a third party to work out with reasonable probability that an order had been applied. That is a disernable change of behaviour from giving statments to not giving statments, or the reverse of from not giving statments to giving statments would be a breach.
Which makes life akward to put it mildly, because under accounting and company law you are not alowed to make misleading statments to those who have an interest or might take an interest in a companies activities.
Unlike some government officials who have a "get out of jail free card" that enables them to lie to all and sundry company officers do not have such a card and it is unlikely that the order could be used as such which makes the whole thing a "Catch-22 Proposition", or the old "Damed if you do, damed if you don't.".
It is the same as the issues of "you cannot lie to a Federal Officer" or for that matter refuse to answer their questions.
In both cases there is a legaly prescribed route by which you can navigate this perilous landscape but you have to know it and to have applied it long long prior to the event actually occuring...
I've long wondered what would happen if ISPs that aren't handing over information simply stated that fact periodically. Once an order is placed from the government you simple no longer state that fact.
A variation of Jessamyn West's "The FBI has not been here" sign (?)
Ok, so under this reasoning, if you are asked by someone "have you received an NSL?" and you haven't, it is legal to say "no", and in some cases it is illegal to say "yes" (lying to federal officer) or maybe even illegal to stay silent (refusing to testify). But when someone asks you the same question after you have received one, there's no legal answer, right? Especially if you had said "no" before?
" Put it together then and make a business if its so easy (if it can prevent many other endpoint issues as well); there will be demand for sure."
I wish it were the case. The few vendors that have produced highly assured products haven't done well in the marketplace. Maybe businesses just love feature bloat & legacy systems too much. Then there's patents. I've probably invented over 100 things that could be targeted by patent suits. That I don't compromise on my ethics or sell out means that I'd rather avoid forming a company with such assets than let a big company take them away and pervert them into tools of false security. (Esp if my name was still on the work). A more practical person would probably just take the money. Maybe I should be more practical. Till then, I'm careful in how I deploy my ideas and most work was for closed groups under confidentiality agreements.
Note: I have long considered putting control of the intellectual property in the hands of trustworthy, motivated foreigners in countries that wouldn't enforce restrictions on it. Then, all development can go to a site on that country and software releases be built from it. Local usage could be supported by companies under consulting arrangements that officially were security in general or another tech at the company, but unofficially included the controversial tech. See how complicated our laws make this though? How many potential buyers would want to take the risk when the whole point of security is mitigating risk?
@ Peter A.,
The NSL in effect requires you to behave in the same way after the NSL was presented that you did before.
So if your statments prior to receiving an NSL was "We've not had an NSL" then the NSL requires you to keep saying the same afterwards.
The problem is that prior to the NSL you were telling "interested parties" the truth, after the NSL you are telling them lies.
That leaves you open to all sorts of legal issues under accounting and company law, if it is later discovered you have been telling investors and shareholders lies...
Likewise if you do anything else that means that the existance of the NSL becomes public knowledge (like putting up a "Feds have been here" logo etc etc).
In effect the only response you should give from day one is "As corporate policy we do not make comment" and stick to it.
The problem with that is "Lying to Federal Officers" covers all Federal employes irrespective of if they are FBI/NSA or the IRS etc. And it's a case of the "Left hand should not know what the right hand is doing" the NSL requires you not to tell them about the NSL, thus you are required to lie and break the law, but you cannot use the NSL in your defence...
Likewise it requires you to lie to auditors which means your company filings are likewise a lie, and a cleaver auditor or forensic investigator will spot this within a very short time. But you cann't tell them "I'm sorry but I can't tell you" because that would reveal the fact you had been given an NSL or equivalent...
It has other implications, there you are a major telco or other organisation and you find you have possibly been hacked, what do you do? You obviously cannot call in external companies / consultants because almost the first thing they would find out is any technology behind servicing the requirments of an NSL. You could turn to the FBI/NSA but that has all sorts of implications that might lead to you being prosecuted.
If you remember back Google called in the NSA over what at the time was indicated as "China APT" issues. However a lot of speculation at the time was about surveilance tie up with the NSA. Which many will now regard as indicative proof of Google spying for the NSA... Thus no matter what the real facts are Google are in effect tarnished.
Whilst Google / Microsoft / Adobe / Facebook might have sufficient "Market Inertia" to survive consumer blowback from the US and sufficiently large legal depts to fight the excesses of the Feds the same is not true for smaller organisations. But the US is not the major market in the world it falls behind Europe and Assia thus even the big US players could find themselves on the receiving end of EU and other non US juresdiction legislation.
If you think about it US organisations could easily find themselves on the wrong end of judgments the likes of Microsoft and Google have already had sanctions against them for very much "lesser crimes". It would take very little political influance to cause this to happen, and the results could be devistating for US companies. Sufficient even to break their market strangle hold.
From a US economic view point this could be a significant factor and as such that makes it a "National Security" issue requiring input from "the highest in the land".
Or to put it another way potentialy "There is a Perfect S41t Storm" on the horizon and if it hits the fan there is no knowing where the fall out will land, in what quantities and how. One consiquence would be the software industry would fragment badly with market shares droping down to tiny fractions of what some of the big players currently have. Will it happen I don't know but it is one of the things on Haydens and similars minds. The fact that the situation is of their own making will not stop them...
@ Nick P
If you are thinking of looking at Europe I'd take a look at the UK's "Limited Liability Partnerships" (LLP's) "Offshore based" in one of the small European principalities or tax havens in say the Turks and Cacos Isls.
Various organisations do this. One of the worst offenders for this sort of thing is Apple who have off shored most of their activities in one way or another using various shell companies and it's arangments mean that the level of tax they pay is estimated to be less than 1%.
As previously discussed Switzerland is an interesting place to set up companies,however they now inform other nations about monies held there. But that is fairly easy to get around.
The trick you want to think about is "licencing technology" in such a way that you would not reasonably be expected to know what algorithms etc are used (ie licence compiled programs or object code libraries etc). If you think about it by far the bulk of software is licenced this way and often you licence a program from a supplier, who in turn licence technology in library form from another company. That in turn licences the IP from somewhere else.
Likewise your sales company should have no assets of it's own it should rent or lease all equipment, furniture etc from other companies and have been setup as a "startup" thats in effect not making sufficient sales to make a profit over and above any liabilities for setup loans etc etc.
Thus if somebody comes after the company it folds with no assets only liabilities etc. The shareholders are not individuals but investment companies that likewise debt loaded. The officers of the sales company are not individuals but LLP's etc.
The important point is not so much tax efficiency but ways of detering others from trying to take civil action intended to extort money in the way patent trolls try it on.
--Then those vendors need to bring along an engineer w/ the sales team to either explain the product sufficiently or get a new sales team. I hate the bloat and I hate preloaded programs on my computer, I want clean solutions, functions that do their damn jobs completely and no goddamn backdoors that I don't know about.
Not speaking from personal experience (hopefully I'll get there), but my dad has a few patents, at bigger companies they become their property and their lawyers deal w/ it. Recently, he's had to deal w/ the lawyers some and it can be a real pain. And I know from trying to read the law that it is a real pain and I spot so many arbitrary "spur of the moment" laws, I get very angry; it is not clever to create bullshit. This isn't like software or hardware that is nature being discovered, it's being created by us (maybe it is nature but it's a choice) and it's unnecessary and hindering growth and forcing workarounds which is a massive waste of paper, money, and time.
My time hasn't come for worrying about patent law, but I think I'm going to get really angry when or if I have to.
If someone subverts your creation that's not your fault so I would keep your name on it. Except if you're creating some extreme weaponry like an atom bomb. My main concern w/ my research is it being stolen so I need a physically secure lab where I can relax a little and really work on some problems I want solve.
So back to the beginning, I can't lead a project like this, way too little experience; haven't seen enough code. Willing to do the dirty work, been doing that my whole life. No one does it, the world's a shithole. My grandma got cancer from working around a nuke lab so sacrifice runs in the family. She joined a group that says, "Thanks for keeping America Free!"; f*cking disgusting. Workers used to dig for Uranium w/o any sort of protection so they we're f*cked and considered expendable.
Anyway, so someone already in the field needs to step up and they can't be subverted! And sometimes you need to be a bit of an asshole like Linus Torvalds to get things done; so long as the asshole is doing actual work him/herself and not simply just being an asshole.
@Allen Stanfield, so right! The NSA is holding my personal information which I have not authorized them to do. My personal information is my personal property and I lease it out to businesses to smooth transactions.
Thus the NSA is guilty of "personal information piracy" and I am left wondering if I should ask for a DMCA takedown of their site.
From what I understood of the link, The box was connected and recording for 9 months, without the information being accessed. That tells me the information was not time sensitive, and therefore (I hope) not terror threat related. Am I missing something, or does that indicate that it was more likely a fishing expedition?
On another note, there is a third way to lie, not listed above. You tell the truth, and maybe even tell all of it, but tell it in such a way that everyone thinks you are lying.
I'm inclined to give these folks my business because of their transparency on the issue. I guess I would rather pay archive.org instead, for their better stance, but that's not an option. Am I thinking about this clearly?
You tell the truth, and maybe even tell all of it, but tell it in such a way that everyone thinks you are lying.
I would love to see Apple or Microsoft hiring Crusty The Clown to announce on national cable TV that they have not received any NSL's whatsoever and that the NSA has no direct access to their networks.
Actually, the way it would work in that example would be for someone high up in the company to say (dripping with sarcasm)
"Sure! We got so many FISA requests that we decided it would be easier to just turn over our hardware division to the government. That way they could build in their own back doors and stop bothering us." Adding a laugh and a look of "are you kidding/that stupid?" at the end for effect.
I'm not saying it's a smart move. My point was a small one, that there really are more than two ways to lie.
Wednesday, 31 July 2013, 10:00 AM EDT
Senate Building, Washington D.C.
Senate Judicary Committee Hearing
NSA Surveillance Program Hearing
MY COMMENTS AND OBSERVATIONS (a shallow dive)
Some subtle observations about the Judiciary hearing on Wednesday; almost every senator that made the
hearing (some senators did not attend) were former prosecutors. I believe two of the senators, Lee and Frankin, to be outsiders (no prosecution background).
The second observation was the apparent condescending attitude shown by the "prosecutors" during the hearing whenever the context of the discussion revolved around the positive benefits of surveillance programs and its value to LEO's or when another senator expressed dismay about a/the program(s). This condescension had the familiar form--the problem with these programs is the public's misunderstanding of the issues. Besides, the LEO's need these authorities to keep us safe. They'd argue that the statutes don't go far enough.
The security theatre on display was that of typical prosecutor posturing--"We're never wrong, you just don't know the law or the facts!" One problem I see with is with the committee structure itself; a lack of jurists on the committee and I don't recall a public defender, a death penalty, or criminal defense lawyer on the Judiciary--this seems to be another ex-parte, one-sided, biased, and totally ineffectual congressional committee (it is a service to itself and others like them--very undemocratic).
The feeling of contempt for these senators begins when "senators that were prosecutors" are unaware of their internal bias towards the LEO's and not the function of the judiciary (the federal courts) and their inability to comprehend or their out right contempt for constitutional law.
Lastly,the witnesses called before the committee did not include any civil libertarian, constitutional scholar, or any authority on United States history. The were all government witnesses.
And, the witness missing from the committee witness list--the citizenry of the United States of
MY COMMENTS ON THE HEARING
Wednesday, 31 July 2013, 10:00 AM EDT
Senate Building, Washington D.C.
Senate Judicary Committee
NSA Surveillance Program Hearing, Part II
One senator, Sheldon Whitehouse, seems to have a grasp of the historic perspective, the underlying
subversion of foundational laws, and the issue of secrecy gone amok. Whitehouse almost touched on the unstated "below the radar" lawlessness of this and other activities...but most senators approached the issue(s) with a lack of propriety required by this issue.
Senators seemed to be bothered by the well articulated statements about the constitutionality of the activities but where magnanimous enough to offer changes to the FISA process, not the NSA's practices. Again, failure on the part of our government officials at the highest levels unwilling to uphold and defend the very instrument that gives them the position, authority, responsibilities, and the office they hold--it is the ultimate in hypocrisy.
During the hearing witnesses took pegroative stances and the role pf schooling the committee
members on why their activities are legal.
The FISA Process:
First, the rationale for the government's (the executive) unconstrained authority under section 215 of the FISA, using the Smith decision regarding third party data collection (known as the third party doctrine) there is no expectation of privacy. Given that logic, the government can collect all the records wherever generated (business cannot do this, imagine Amazon collecting IRS tax returns).
There is no functional parallel in a manner, no standing law, statue, or case that approves this process. The answer to the question from Patrick Leahy (paraphrased) "Wouldn't collecting all the credit card data also be valuable for terror investigation? Couldn't purchase information also indicate a terrorist activity?" The answer from the deputy AG suggests that they data isn't valuable--not that they don't collect it.
Second, as there is no restriction on the data collected (i.e. third party business records) under the 215 authority and thus the government is unconstrained. Imagine the ability to randomly pick a number, like a lottery, making a non prejudicial "peek" and if it hits something (cross referenced to any number of other data sets) it automatically gets tagged as "Probably Cause" worthy.
Third, a hit on the database then pro-grammatically produces a probably cause event, in other words; with no pretext, it is possible to produce a probably cause warrant by way of an SQL select statement.
This action produces a chain of events--an illegal escalation of an event (no probably cause when the first look occurred) can now trigger a third order probable cause chain--automatically. This means a piece of data considered relevant becomes probably cause resulting in a chain of suspension that can cascade into over two million "probable cause" targets. This is unreal!!!
FROM ZERO TO PROBABLE CAUSE IN 10.9 NANOSECONDS:
The most destructive component of this act against the 4th amendment is on the first step in; no need for probable cause, only relevant, and that relevant can expand automatically (pro-grammatically) to probably cause not just on one target but of all or any associations with that person and their associations. Here is how you need to rewrite the 4th amendment...
DRAFT OF NEW FOUR AMENDMENT TO THE CONSTITUTION
'The right of the people to be secure in their persons (except were others can provide information about you we might find useful--we can amass in store for some period of time), houses (except when drones or satellites fly over with infrared cameras), papers (except papers stored electronically or held by anyone else), and effects (but must be made available during a sneak and peek), against unreasonable searches and seizures (unless congress decides otherwise), shall not be violated (if the day of the week is Sunday, and the week is the second of the month), and no Warrants shall issue (see, we don't need warrants), but upon probable cause (we've already established suspicion and are sure you're guilty of something), supported by Oath (we don't know anything about Oaths) or affirmation ("yup"), and particularly describing the place to be searched, and the persons or things to to be seized ("We don't need no stinking badges").'
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.