FBI raids home of prominent computer scientist who has gone incommunicado

arstechnica.com/security/2025/…

A prominent computer scientist who has spent 20 years publishing academic papers on cryptography, privacy, and cybersecurity has gone incommunicado, had his professor profile, email account, and phone number removed by his employer, Indiana University, and had his homes raided by the FBI. No one knows why.\
\
Xiaofeng Wang has a long list of prestigious titles. He was the associate dean for research at Indiana University's Luddy School of Informatics, Computing and Engineering, a fellow at the Institute of Electrical and Electronics Engineers and the American Association for the Advancement of Science, and a tenured professor at Indiana University at Bloomington. According to his employer, he has served as principal investigator on research projects totaling nearly $23 million over his 21 years there.

luddy.indiana.edu/contact/prof…

Profile of XiaoFeng Wang\
\
The profile you are searching for is no longer an active account at the Luddy School of Informatics, Computing, and Engineering. If you are trying to reach a former faculty or staff at Luddy, please contact us at luddy@indiana.edu for support.

His wife, Nianli Ma, has also disappeared. Neither Wang nor Ma have been publicly accused of any wrongdoing.

This is what it's going to be like until we rid ourselves of Trump. People will simply disappear, without any accusations of wrongdoing.

#ars #arstechnica #fbi #computer-scientist #computer-science #cryptography #privacy #cybersecurity #indiana #indiana-university

A prominent computer scientist who has spent 20 years publishing academic papers on cryptography, privacy, and cybersecurity has gone incommunicado, had his professor profile, email account, and phone number removed by his employer Indiana University, and had his homes raided by the FBI. No one knows why.

Xiaofeng Wang has a long list of prestigious titles. He was the associate dean for research at Indiana University's Luddy School of Informatics, Computing and Engineering, a fellow at the Institute of Electrical and Electronics Engineers and the American Association for the Advancement of Science, and a tenured professor at Indiana University at Bloomington. According to his employer, he has served as principal investigator on research projects totaling nearly $23 million over his 21 years there.

He has also co-authored scores of academic papers on a diverse range of research fields, including cryptography, systems security, and data privacy, including the protection of human genomic data. I have personally spoken to him on three occasions for articles here, here, and here.

"None of this is in any way normal"

In recent weeks, Wang's email account, phone number, and profile page at the Luddy School were quietly erased by his employer. Over the same time, Indiana University also removed a profile for his wife, Nianli Ma, who was listed as a Lead Systems Analyst and Programmer at the university's Library Technologies division.

According to the Herald-Times in Bloomington, a small fleet of unmarked cars driven by government agents descended on the Bloomington home of Wang and Ma on Friday. They spent most of the day going in and out of the house and occasionally transferred boxes from their vehicles. TV station WTHR, meanwhile, reported that a second home owned by Wang and Ma and located in Carmel, Indiana, was also searched. The station said that both a resident and an attorney for the resident were on scene during at least part of the search.

Attempts to locate Wang and Ma have so far been unsuccessful. An Indiana University spokesman didn't answer emailed questions asking if the couple was still employed by the university and why their profile pages, email addresses and phone numbers had been removed. The spokesman provided the contact information for a spokeswoman at the FBI's field office in Indianapolis. In an email, the spokeswoman wrote: "The FBI conducted court authorized law enforcement activity at homes in Bloomington and Carmel Friday. We have no further comment at this time."

Searches of federal court dockets turned up no documents related to Wang, Ma, or any searches of their residences. The FBI spokeswoman didn't answer questions seeking which US district court issued the warrant and when, and whether either Wang or Ma is being detained by authorities. Justice Department representatives didn't return an email seeking the same information. An email sent to a personal email address belonging to Wang went unanswered at the time this post went live. Their resident status (e.g. US citizens or green card holders) is currently unknown.

Fellow researchers took to social media over the weekend to register their concern over the series of events.

"None of this is in any way normal," Matthew Green, a professor specializing in cryptography at Johns Hopkins University, wrote on Mastodon. He continued: "Has anyone been in contact? I hear he’s been missing for two weeks and his students can’t reach him. How does this not get noticed for two weeks???"

In the same thread, Matt Blaze, a McDevitt Professor of Computer Science and Law at Georgetown University said: "It's hard to imagine what reason there could be for the university to scrub its website as if he never worked there. And while there's a process for removing tenured faculty, it takes more than an afternoon to do it."

Local news outlets reported the agents spent several hours moving boxes in an out of the residences. WTHR provided the following details about the raid on the Carmel home:

Neighbors say the agents announced "FBI, come out!" over a megaphone.

A woman came out of the house holding a phone. A video from a neighbor shows an agent taking that phone from her. She was then questioned in the driveway before agents began searching the home, collecting evidence and taking photos.

A car was pulled out of the garage slightly to allow investigators to access the attic.

The woman left the house before 13News arrived. She returned just after noon accompanied by a lawyer. The group of ten or so investigators left a few minutes later.

The FBI would not say what they were looking for or who is under investigation. A bureau spokesperson issued a statement: “I can confirm we conducted court-authorized activity at the address in Carmel today. We have no further comment at this time.”

Investigators were at the house for about four hours before leaving with several boxes of evidence. 13News rang the doorbell when the agents were gone. A lawyer representing the family who answered the door told us they're not sure yet what the investigation is about.

This post will be updated if new details become available. Anyone with first-hand knowledge of events involving Wang, Ma, or the investigation into either is encouraged to contact me, preferably over Signal at DanArs.82. The email address is: dan.goodin\@arstechnica.com.

I was thinking about personal data security and let my mind wander. I decided that if you were exceptionally paranoid then........

When thinking about personal data it may occur to you that, once you have implemented an adequate 3 stage backup system to avoid data loss, your main risk is the exfiltration and use of that data for nefarious purposes.

Personal data, e.g. the pictures or messages on your phone or pc, can imply many different things such as religion, sexual orientation, health details, political views etc. that could potentially be used against you by a bad actor.

As such, it would seem rather inadvisable to hold any data on any device that is not encrypted in a fashion whereby only you hold the encryption key.

Further, if you are going online using the device then, even if the device has a trusted os that implements full disk encryption, then it would also seem inadvisable to hold any data on the device that isn't seperately encrypted within the operating system. The data would be protected before first unlock by the os encryption and after first unlock by the seperate encryption.

As the password for this seperate encryption would neccessarily need to be complex you would be best storing this within a trusted password manager that employs zero-knowledge encryption or even better one that does not employ cloud-based syncing. You would also probably want to pepper the password with memorised additional digits.

You might then consider that, as encrypted data, while not especially useful now, may be seen as potentially more valuable should it be exfiltrated and stored for future decryption once technology allows, it may not be the best idea to store this encrypted personal data on any device that connects to the internet or even in a zero knowledge encrypted cloud-based storage solution.

You would then presumably decide that it is best to carry all the data you may wish to access at short notice encrypted on a portable simple data storage device that you could connect to any devices you wish to access the data on. You make the assumption that whoever mugs/holds you up/pickpockets and takes the data device is less likely to hold onto the encrypted data than an online attacker.

It is possible that you would then adjust your 3 stage backup system to be based on 3 non-internet-connected simple data storage devices kept in 3 seperate locations, one of which you carry around with you.

It was at this point that I decided to stop thinking about it. Lol. As noted, this train of thought would probably only occur if you were exceptionally paranoid and it could be theorised that at that point it is debateable whether you are more at danger from data exfiltration and exploitation or the very angry rabbits that want to know why you are so far down the rabbit hole. Lol.

Hey all, so I randomly decided to check over Windscribe's VPN relationship chart again to look over some stuff on various providers. I always make sure to check the sources rather than just taking what it says and I already use Mullvad so it was really just mindless reading more than anything.

But going through Surfshark's entry, there was this

[3] SurfShark's TrustDNS app is used to collect data on the user for advertising and marketing purposes.

Advertising. We may receive certain information about you (cookie id, mobile device id, when you use our Trust DNS app – advertising IDs, in app events, such as in-app purchase or amount and type of ads watched, information about what browser, network, or device is used to access and use Trust DNS) from certain advertisers and advertising partners for advertising purposes. Our advertising partners help us deliver more relevant ads and promotional messages to you, which may include interest-based advertising and account-based advertising." Legal basis for the processing of personal information is our legitimate interest to deliver relevant ads and promotional messages to you." 

Obviously a VPN company ever making something that does all this is... Pretty bad? From what I can tell looking up stuff it was launched in September 2019. For how long it lasted I have no real clue.
Best I can find was this Github repo developed by someone who has like no other commit or repository history that only hosts DNS servers and was last updated in 2020??? Archive.org and other sites on cachedvuew provide nothing when I use the URL above, and it just goes to the normal Surfshark homepage now.

github.com/TrustDNS
github.com/SharonBarcia

This whole thing just feels very strange overall. So if someone could shed some light on this I'd be pleased!

I keep thinking about this.

1. Most retro handhelds do not have cellular network chips, gps, or even built it microphones or cameras in many cases. But many do still support wifi and Bluetooth.
2. The vast majority of them do support either Linux, Android, or both. This is the area that needs the most work, since the Linux distros on these devices are so stripped down that they can't do much more than run emulators and a few bespoke game engine compilations. And for the Android-supporting devices, there would be a need to build more privacy-respecting roms. But that's the thing - many of these devices openly support that, it's just not something the communities have gotten around to creating.
3. While this would become less useful with popularity, this kind of approach would be a form of steganography. If you're in an extreme situation where you or your belongings are being searched, how many people are going to suspect that the little Retroid Pocket gaming handheld is even something you can or might be storing your private info on?

Edit: Judging by the comments so far, I underestimated how unknown these devices must be still. While they do technically include handhelds like the PSP/Vita, 3/DS, etc; these days when people use the term "retro handheld" they're usually referring to a veritable cornucopia of gaming devices that come in a wide variety of hardware configurations and form factors. They are most often ARM-based devices, though there are even a couple that are pocketable fpga devices. Some of them are even small enough to be .

Right now some of the most popular companies in this category include Retroid, Anbernic, Ayn, and Ayaneo. There is also a large selection of 3rd party custom firmwares out for many of these devices. But again, most of these are just very stripped down versions of Linux. Instead of full fledged desktop environments, they normally have media center style frontends like Emulation Station. And as far as I know, none of them have bothered to port any of the conventional Linux package managers.

As far as I understand, there is no technical reason why PostmarketOS, Mobian, or LineageOS for MicroG couldn't be ported to at least some of these devices, as some examples.

Hopefully that is enough resources for anyone to start to get up to speed. It should be apparent that full, unbroken system experiences with up-to-date software is possible on at least some of these devices, even including apps like Signal.

Just wanted to share my setup and see if anyone has suggestions or feedback. Also share yours.

Phone : GrapheneOS(pixel 7a)

1. No google play service on my main profile. Rethink DNS (NextDNS DoH) blocks ads, trackers, and all Google & Facebook DNS (except WhatsApp).
2. Some FOSS apps like Aurora Store & NewPipe need Google servers, so I have excluded them in rethink dns.
3. Work Profile (with Island) with GrapheneOS’ sandboxed Play Services, but I use it maybe once or twice a month only for apps that absolutely need it. It stays turned off most of the time.
   If an app works on main profile without any issues, will use it. If not, will try to use it in firefox (as lack of play services doesn't matter). If only app is available (and not web version) and it doesn't work on main profile, will use it in work profile.
4. Hardened Firefox fork(Ironfox) for private browsing. Main Firefox for a few services where I have to stay logged in and don't have apps or want to use their apps.
5. Network & Sensor Restrictions: If an app works offline, I block its internet access. Also, disabled sensors for apps that don’t need them.
6. Mostly use foss apps from f-droid(droidify).
7. Email: moved from gmail to protonmail

PC/laptop: Arch linux kde on pc and fedora kde on laptop.

1. Not much to say. Most used apps are firefox and Zed. I allow data collection on kde as I want them to improve it.

Home Server: Raspberry Pi 4B

1. SSH hardening: Non standard ssh port(yes, I opened the port externally because I depend on my home server and need to access it remotely). SSH keys or password+totp, Fail2Ban, ufw.
2. Services running: Arr setup(jellyfin, prowlarr, radarr,sonarr, qbittorrent), pihole, Immich, Authelia(for now). All data sensitive services behind authelia with totp.
3. Nginx Geo-blocking: Only allows access from my country IPs
4. Weekly backups because data loss sucks.

Network & Router: OpenWRT (TP-Link)

1. Not much to say: Running default firewall rules with network-wide ad/tracker blocking via pihole and some ports opened.