from the the-user-is-the-weakest-link dept.
From the Wired article, "Instead of going for the easy bust, the FBI spent a solid year surveilling McGrath, while working with Justice Department lawyers on the legal framework for what would become Operation Torpedo. Finally, on November 2012, the feds swooped in on McGrath, seized his servers and spirited them away to an FBI office in Omaha.
A federal magistrate signed three separate search warrants: one for each of the three hidden services. The warrants authorized the FBI to modify the code on the servers to deliver the NIT to any computers that accessed the sites. The judge also allowed the FBI to delay notification to the targets for 30 days."
The FBI modified the .onion sites to serve a malicious script which was used to de-anonymize users. It's worth noting that only those using Tor improperly would be vulnerable. The FBI tracking payload required scripting to be enabled in the browser--a common blunder among inexperienced Tor users.
Related Stories
The FBI is not eager to reveal (more) details about methods it used to identify Tor users as part of a child pornography case. FBI's Operation Torpedo previously unmasked Tor users by serving them malicious scripts from secretly seized .onion sites.
The FBI is resisting calls to reveal how it identified people who used a child pornography site on the Tor anonymising network. The agency was ordered to share details by a Judge presiding over a case involving one alleged user of the site. Defence lawyers said they need the information to see if the FBI exceeded its authority when indentifying users. But the Department of Justice (DoJ), acting for the FBI, said the details were irrelevant to the case. "Knowing how someone unlocked the front door provides no information about what that person did after entering the house," wrote FBI agent Daniel Alfin in court papers filed by the DoJ which were excerpted on the Vice news site.
The Judge ordered the FBI to hand over details during a court hearing in late February. The court case revolves around a "sting" the FBI carried out in early 2015 when it seized a Tor-based site called Playpen that traded in images and videos of child sexual abuse. The agency kept the site going for 13 days and used it to grab information about visitors who took part in discussion threads about images of child abuse.
(Score: 2) by mtrycz on Wednesday August 06 2014, @04:54PM
So is this good news or bad news?
In capitalist America, ads view YOU!
(Score: 1) by wantkitteh on Wednesday August 06 2014, @04:59PM
I'd be interesting in finding out exactly how they located the servers - as would Ross Ulbrecht [theregister.co.uk].
(Score: 4, Informative) by keplr on Wednesday August 06 2014, @05:13PM
It's in the article, "Tor hidden services mask their locations behind layers of routing. But when the agents got to a site called Pedoboard, they discovered that the owner had foolishly left the administrative account open with no password. They logged in and began poking around, eventually finding the server's real Internet IP address in Bellevue, Nebraska."
So it wasn't a genius SIGINT op attacking the Tor network, just a hilariously incompetent sysadmin.
I don't respond to ACs.
(Score: 4, Insightful) by tathra on Wednesday August 06 2014, @05:41PM
or at least thats what they're claiming. anybody who knows that parallel construction [wikipedia.org] exists, and is in fact SOP, [muckrock.com] yet still believes the claims of LEOs is incredibly naive.
(Score: 4, Insightful) by keplr on Wednesday August 06 2014, @05:44PM
Correct. I should have mentioned that's the official story, so it's necessary to remain skeptical. However, incompetent criminals do exist, and naturally these are the ones who tend to get caught and reported on.
I don't respond to ACs.
(Score: 3, Interesting) by Runaway1956 on Wednesday August 06 2014, @06:20PM
http://www.cse.hut.fi/en/publications/B/11/papers/salo.pdf [cse.hut.fi]
Given governmental authority to barge into any ISP anywhere, NSA/FBI/whoever can set up their own routers anywhere. And, maybe they already have them everywhere, who knows?
Analyzing the traffic of several routers, someone can make an educated guess where the traffic is coming from. Set up a few more routers close to the guess, and analyze some more. If it looks like you're close, set up even more routers in proximity, then start poisoning the routing information. Soon, the target is sending all his data across servers that you control.
The feds don't have infinite resources, but they have a lot. They can and will zero in on a high value target, sooner or later.
“Take me to the Brig. I want to see the “real Marines”. – Major General Chesty Puller, USMC
(Score: 5, Insightful) by keplr on Wednesday August 06 2014, @05:09PM
Well some low level child porn sharers/distributors were taken down. So that's a good thing. But the way it was done is a bit troubling. The FBI seized the servers running the .onion sites and instead of taking them offline they converted them to de-anonymizing systems. They let this run for for a month, serving child pornography, and collecting IP address from users that had scripting enabled.
The correct thing to do would have been to take the servers down immediately. The FBI, or any part of the government, shouldn't be allowed to set up dragnet attacks against all users who connect to a certain server. Imagine if you were tricked into clicking a link and ended up there. That shouldn't be a crime, but you could be hauled out of your house in the middle of the night and labeled a pedophile for doing that.
I don't respond to ACs.
(Score: 4, Informative) by hemocyanin on Wednesday August 06 2014, @05:23PM
This whole story fits into the principle that "bad facts make bad law." It's hard to overlook the fact that extremely scummy people were busted here, and the Government relies on this emotional reaction to get much wider powers. I'm sure the evidence will ultimately be admitted because of the "bad facts" principle, which will open the door to Federal malware anywhere.
From TFA:
(Score: 1, Insightful) by Anonymous Coward on Wednesday August 06 2014, @05:44PM
> It's hard to overlook the fact that extremely scummy people were busted here,
Scummy, or just gross?
Given how often the cops ignore the abusers since it takes a lot of effort to get them versus snagging basement-dwelling pervs who have whacking it to 20-year old photos, it seems reasonable to ask if there is any evidence that any of the people who were arrested were producers or had even provided incentive to some one else to harm a child by producing the abuse images?
I wish we lived in a country where the cops were selfless instead of self-serving, but their lack of ethical standards invites such doubts.
(Score: 2) by Magic Oddball on Thursday August 07 2014, @12:48AM
Unfortunately, an in-depth study of child-porn convicts released back in '09 showed that 85% of them *had* also molested at least one kid:
My guess is that a lot of cops only truly go "bad" after spending years watching perps like that go free due to insufficient evidence or other technicalities...
(Score: 3, Interesting) by PinkyGigglebrain on Thursday August 07 2014, @02:19AM
Just a heads up; the "Butner Study" has been getting criticism from many quarters because the data is being misused by prosecutors and LEOs.
Even the original authors have commented on the misuse.
http://www.protectingyourfuture.info/is-there-a-link-between-child-pornography-and-child-molestation [protectingyourfuture.info]
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 3, Insightful) by metamonkey on Wednesday August 06 2014, @05:29PM
Depends on the threshold for action. If somebody accessed the home page and then immediately clicked out (didn't send any more requests for that service) then they shouldn't be targeted. Just the make the threshold something like "must have downloaded at least 10 pictures" and I don't think it's much different than any other sting operation that law enforcement operates in meatspace to combat drugs or guns.
Okay 3, 2, 1, let's jam.
(Score: 2) by keplr on Wednesday August 06 2014, @05:39PM
Define download. Just visiting a page causes its entire contents to be "downloaded" to your computer, and usually cached to the HDD which persists even if you abruptly close the window. I don't know how the site was designed, but it's entirely possible that the homepage itself contained illegal images.
I don't respond to ACs.
(Score: 2) by metamonkey on Wednesday August 06 2014, @06:23PM
Since the FBI was hosting the honeypot and would also be defining the threshold of an arrest-worthy offense, I would assume they would take this into account. On the Google Analytics dashboard I have for my website it shows you the bounce rate. What percentage of people never make it past your first page, and how long they stuck around for. Since this attack worked by running a script in the target's browser, I would imagine they could record such information.
I'm doing a lot of imagining here, but I would also imagine they would want to record such information as it would help the prosecution's case. If there's a mens rea requirement to the applicable laws (and there always should be, but the last 20 years of legislation, not so much) then the prosecution would have to prove that the defendant knowingly and willfully accessed this information. "I clicked on it, it opened up, and the instant I saw what it was I closed the browser" is a legitimate defense. So having a log from the server and script showing that the defendant opened up the site, looked at the front page for 30 seconds and then went through clicking every link would be useful evidence.
Okay 3, 2, 1, let's jam.
(Score: 2) by bob_super on Wednesday August 06 2014, @06:57PM
> On the Google Analytics dashboard ...
I'm not paranoid enough to use TOR, but my NoScript has been told to always block Google Analytics and similar scripts. What are the odds that the feds would have and be willing to use that actual information, rather than pat themselves on the back for filling more jail cells?
(Score: 2, Interesting) by Anonymous Coward on Wednesday August 06 2014, @07:02PM
> If there's a mens rea requirement to the applicable law
There is no mens rea requirement for child abuse imagery, [yalelawtech.org] only the discretion of the prosecutor. Given just how eager people are to turn off their minds when it comes to images of child abuse, the prosecutor has everything to lose if he does not prosecute. Just look at all those cases where they've prosecuted teenagers for sexting under the theory that they were manufacturing images of child abuse.
(Score: 2) by RaffArundel on Wednesday August 06 2014, @06:14PM
Perhaps there was a threshold, otherwise there would be a lot of wasted court time if not. I can imagine the defense would definitely seize the click-bait approach - a "Rick-Roll" defense most likely, since I doubt there would be a lot of sympathy for goatse/tubgirl in the courtroom.
However, my concern is more around if using an anonymizing service lowered the bar. I could see the government saying "yeah, he clicked once, but WHY WAS HE HIDING HIS TRACKS IF IT WAS AN ACCIDENT?!?!" which sets a very bad precedent. I'm less concerned over hemocyanin's quote from TFA, which is much appreciated, that this was "an egregious violation of the Fourth Amendment" from the defense lawyers. They actually obtained warrants and set up a sting operation under judicial review and approval. I like that better than the "secret-court-with-no-oversite-or-fake-a-911-call-to-send-in-the-overmiliterized-police" approach in other cases.
If it were up to me, I'd shut it down or replace the page with a big fat notice: "law enforcement was here". The idea of people doing this disgusts me, which is why it is hard to talk about "rights" rationally when there is a legitimate think-of-the-children argument. Sting operation would be tempting, but you are targeting consumers not creators, so not worth it IMO.
(Score: 2) by tynin on Wednesday August 06 2014, @09:13PM
I've worked at an ISP that also has a tier 1 network. It was SOP to never take down the offending site, but to validate it did indeed of kiddie porn (the horror), burn the site to disk and stick it in the vault (which was overflowing), and notify the FBI and our legal dept. The site serving the offensive material was always left online to allow for the Feds to gather more dirt. One of my co-workers was sick of this policy, so they sent in a forged email into support appearing to be coming from the users contact email professing how they were a scumbag pedo and requested that the account be terminated immediately, which worked surprisingly well.
(Score: 3, Informative) by Runaway1956 on Wednesday August 06 2014, @06:03PM
It's definitely good and bad.
They busted some child porn freaks. That's good.
They found an exploit that makes it easy to deanonymize a Tor user if he doesn't set up Tor correctly. That is bad.
But, again on the good side - if you set Tor up properly, this exploit isn't supposed to work.
“Take me to the Brig. I want to see the “real Marines”. – Major General Chesty Puller, USMC
(Score: 3, Insightful) by PinkyGigglebrain on Thursday August 07 2014, @12:18AM
From the summary it sounds like they busted some buyers and distributors.
So this is not good; not a single child was actually saved/rescued/protected/whatever they are calling actions that actually benefit the victims now.
Just another example of LEOs going after the low hanging fruit rather than the scum that actually hurt children. Yeah, some of those arrested might also be abusers, most probably are not.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 3, Insightful) by kaszz on Wednesday August 06 2014, @05:55PM
Bottom line seems to be that HTML and Javascript doesn't go well with security. You could just extend the FONT tag and get a stack overflow that gives you shell etc. And Javascript rats you out right away. If this pile-of-shit needs to be run then use a tight sandbox which don't know it's own location (IP) and has enforced endpoint in the middle of the onions so it can't be used to tell which entry server is used either.
In the beginning HTML produced structured information. Now it provides heat generation and smeared privacy. Oh and plenty of bugs of course.
Tip to any site operators: Install a logic agent that fucks up the server if it's meddled with or moved etc in any way.
(Score: 1) by Freeman on Wednesday August 06 2014, @06:48PM
Good that they are catching those people who are dispersing and partaking in child pornography. Bad that they are abusing the tools to catch said people. Tools that deliberately infect machines with malware, if used improperly could be a Major invasion of privacy. We don't arrest a soldier carrying an automatic weapon, if he is using the tool as required by his profession. We Do arrest anyone who shouldn't be carrying an automatic weapon. Why? Because, the use of such a tool is extremely dangerous in the wrong hands. Same goes for the tools that they are using to catch these criminals. We can't tie the hands of the police. That said, we Definitely need to know how they use their tools and who they aim them at. Spying on thousands, hundreds of thousands, or possibly millions of innocent people is not an acceptable practice. The problem is that it's so easy to do that.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Thursday August 07 2014, @05:11PM
'tis is old news.
how about "planting"? can they plant too? obviously : )