Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe.<p>--<p>Obligatory statement on <i>NEVER USING SHA-1 HASHES</i> to make passwords "safe".<p>Any normal person can brute force millions of SHA-1 hashes (salted however much you want) per second on a GPU.<p>If the FBI so wanted (although I don't believe they do) I'm sure they could brute force almost every single password in that database. Granted, it's the government and they have better ways of obtaining such information, but if there is someone the FBI is watching on Instapaper's databases and they so wanted, storing the SHA-1 hash of the password all but handed them over to the FBI.<p>I am now glad my Instapaper password was generated randomly, 16 characters long, and I will now change it just to be safe.<p>For anyone running a database which stores ussername/passwords, take a look at bcrypt or scrypt. They're millions (no, I am not exaggerating) of time better than SHA-1.<p>(Edit: Grammar)
Surely there is a legal precedent which provides at least some framework for what can or cannot be seized during a warrant search? This can't be the first time government agents have mistakenly seized property in an otherwise lawful search.<p>Also, while I completely understand Instapaper's unwillingness to pursue this through the courts, that <i>is</i> the way our legal system is structured. If you believe you have been harmed in some way by a government action, the courts are the avenue through which you must obtain recourse.<p>(Not a lawyer, so if I'm wrong about any of the above please correct me.)
The more I think about it, the more I think this should be treated the same as any of the other thefts of data information to have happened in the past few months. Sony, Toyota, Sega, etc. A potentially hostile group now has a ton of personal info. People should know.
So, the FBI has a copy of Instapaper's complete database and a copy of their website code. The database includes:<p>- Salted SHA-1 hashed passwords for Instapaper<p>- Encrypted passwords for linked Pinboard accounts (with the encryption key stored in the website code)<p>- OAuth tokens for linked Facebook/Twitter/Tumblr accounts (and presumably also the secret keys used by Instapaper to use those tokens).<p>That's (potentially) a lot of personal information.
I think the OP was unreasonably harsh on DigitalOne (never heard of them let alone have any interests). It is very possible that they are consumed with FBI questioning, gag orders or who knows what else. I would give them a pass for a few days until more detail comes out.
"a Swiss hosting company leasing blade servers"<p>If they are truly blade servers, then they were possibly sharing the same chassis, power supply and backplane. Could the FBI have pulled just the blades in question? Possibly. But I can very easily imagine the entire blade chassis being viewed as a monolithic component that they would want to be able to perform whatever forensic analysis they are planning. They could also have pulled whatever blades they were not after, and left them, but until you replace the chassis, you are dead in the water.
To be clear, the server stopped responding, and the host he is paying for the server has not responded at all. The server could simply be unplugged, or all the network cables were unplugged during the raid. Who knows? I guess "The FBI stole my server is a better headline" though.<p>In my experience with our leased data center cages, we are expected to fly in to town if we ever need to physically manipulate the servers or even plug things in. The data center employees don't even go into the locked cages.<p>If the FBI forced open a locked cage, and did stuff in there, I would not expect anything to be addressed until DigitalOne showed up to fix it.
I'm trying to think of an analogy which can explain why this might be reasonable from the FBIs perspective.<p>Suppose you were using a shared storage space (shared servers, or server farm) with several other dudes. One of them is a drug dealer. One day the police/FBI decide to raid the storage space since the drug dealer has been using it to store illegal drugs.<p>Is it not reasonable to consider this collateral damage (which, granted, is totally unnecessary) during law enforcement operations?<p>I'm not saying this is OK in any case, but might this not be a reasonable move by the law enforcement agencies?
Why isn't Facebook having their servers seized? Google? Amazon? If the FBI is really targeting the "badguys" I'm sure there have been more badguys using facebook/gmail/AWS than any single colo.<p>Why haven't there been similar seizures of any larger corporate entities? Even if the current FBI practices are valid, should the application of those practices be a function of size/wealth/power? Which servers of Sony's were seized after distributing rootkits?
Looks like it's back:<p><a href="http://twitter.com/instapaper/status/84106275796946944" rel="nofollow">http://twitter.com/instapaper/status/84106275796946944</a><p>"As of 2 minutes ago, my DigitalOne server is back online. The logs indicate that it was off and not booted during the time it was missing."
I think it may be prudent to begin encrypting all data on disk that can reasonably be encrypted while being able to set up the server remotely so that no one can just snatch your server and get all your data.<p>This could work by encrypting your database in a truecrypt volume that must be mounted by entering the password. Thus, the data is only ever saved on disk in encrypted form, and the key to access the data is not saved on the disk. Of course, it is still in principle possible for anyone to access that information if they have physical access to the computer while it's running, but at least this makes that much harder.
Turns out the server was not stolen!<p><a href="https://twitter.com/#!/instapaper/status/84106275796946944" rel="nofollow">https://twitter.com/#!/instapaper/status/84106275796946944</a>
It would make for an interesting Freedom of Information (equipment) request. "Give me my damn server back." But the damage is of course done.<p>If you are a voting citizen of the US I recommend you write (not email, write a letter, put postage on it and everything) to your elected congressional representatives and ask that Congress immediately put curbs on the police powers of the FBI when it comes to infrastructure seizures.
You think it's a coincidence they nabbed Whitey Bulger this morning, after 16 years on the run?<p>His Instapaper account was probably full of stories about Santa Monica.
What's the proper way of storing OAuth tokens in this situation? Given that all the tokens of users and your private key is on the server (even if it's embedded in code), there's no way for Instapaper for keeping those tokens secure in case of a compromise (by FBI or Lulzdudes or anyone).<p>Seems like Instapaper should change it's private key for, say, Facebook.
is there a better solution that encrypting data and putting the password in the source? obviously this is for cases where you can't use a hash.<p>it seems to me that, at least, it would make sense to have the db and web server physically separate in that case (although i guess someone stealing hardware is not normally a common scenario).
Hmm. I've built something similar to instapaper for myself. (Using a native OS X app). People were making jokes at me how I was re-inventing the wheel.<p>Now I'm somewhat happy having done the extra work. At least the FBI doesn't have my "read later" bookmarks. (Which often consist of the words 'hack', 'malware' and 'reverse engineering'.)<p>I guess I will reinvent the wheel instead of using cloud services more often in the future.