SoylentNews is people
SoylentNews
from the the-user-is-the-weakest-link dept.
From the Wired article, "Instead of going for the easy bust, the FBI spent a solid year surveilling McGrath, while working with Justice Department lawyers on the legal framework for what would become Operation Torpedo. Finally, on November 2012, the feds swooped in on McGrath, seized his servers and spirited them away to an FBI office in Omaha.
A federal magistrate signed three separate search warrants: one for each of the three hidden services. The warrants authorized the FBI to modify the code on the servers to deliver the NIT to any computers that accessed the sites. The judge also allowed the FBI to delay notification to the targets for 30 days."
The FBI modified the .onion sites to serve a malicious script which was used to de-anonymize users. It's worth noting that only those using Tor improperly would be vulnerable. The FBI tracking payload required scripting to be enabled in the browser--a common blunder among inexperienced Tor users.
(Score: 5, Insightful) by keplr on Wednesday August 06 2014, @05:09PM
Well some low level child porn sharers/distributors were taken down. So that's a good thing. But the way it was done is a bit troubling. The FBI seized the servers running the .onion sites and instead of taking them offline they converted them to de-anonymizing systems. They let this run for for a month, serving child pornography, and collecting IP address from users that had scripting enabled.
The correct thing to do would have been to take the servers down immediately. The FBI, or any part of the government, shouldn't be allowed to set up dragnet attacks against all users who connect to a certain server. Imagine if you were tricked into clicking a link and ended up there. That shouldn't be a crime, but you could be hauled out of your house in the middle of the night and labeled a pedophile for doing that.
I don't respond to ACs.
(Score: 4, Informative) by hemocyanin on Wednesday August 06 2014, @05:23PM
This whole story fits into the principle that "bad facts make bad law." It's hard to overlook the fact that extremely scummy people were busted here, and the Government relies on this emotional reaction to get much wider powers. I'm sure the evidence will ultimately be admitted because of the "bad facts" principle, which will open the door to Federal malware anywhere.
From TFA:
(Score: 1, Insightful) by Anonymous Coward on Wednesday August 06 2014, @05:44PM
> It's hard to overlook the fact that extremely scummy people were busted here,
Scummy, or just gross?
Given how often the cops ignore the abusers since it takes a lot of effort to get them versus snagging basement-dwelling pervs who have whacking it to 20-year old photos, it seems reasonable to ask if there is any evidence that any of the people who were arrested were producers or had even provided incentive to some one else to harm a child by producing the abuse images?
I wish we lived in a country where the cops were selfless instead of self-serving, but their lack of ethical standards invites such doubts.
(Score: 2) by Magic Oddball on Thursday August 07 2014, @12:48AM
Unfortunately, an in-depth study of child-porn convicts released back in '09 showed that 85% of them *had* also molested at least one kid:
My guess is that a lot of cops only truly go "bad" after spending years watching perps like that go free due to insufficient evidence or other technicalities...
(Score: 3, Interesting) by PinkyGigglebrain on Thursday August 07 2014, @02:19AM
Just a heads up; the "Butner Study" has been getting criticism from many quarters because the data is being misused by prosecutors and LEOs.
Even the original authors have commented on the misuse.
http://www.protectingyourfuture.info/is-there-a-link-between-child-pornography-and-child-molestation [protectingyourfuture.info]
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 3, Insightful) by metamonkey on Wednesday August 06 2014, @05:29PM
Depends on the threshold for action. If somebody accessed the home page and then immediately clicked out (didn't send any more requests for that service) then they shouldn't be targeted. Just the make the threshold something like "must have downloaded at least 10 pictures" and I don't think it's much different than any other sting operation that law enforcement operates in meatspace to combat drugs or guns.
Okay 3, 2, 1, let's jam.
(Score: 2) by keplr on Wednesday August 06 2014, @05:39PM
Define download. Just visiting a page causes its entire contents to be "downloaded" to your computer, and usually cached to the HDD which persists even if you abruptly close the window. I don't know how the site was designed, but it's entirely possible that the homepage itself contained illegal images.
I don't respond to ACs.
(Score: 2) by metamonkey on Wednesday August 06 2014, @06:23PM
Since the FBI was hosting the honeypot and would also be defining the threshold of an arrest-worthy offense, I would assume they would take this into account. On the Google Analytics dashboard I have for my website it shows you the bounce rate. What percentage of people never make it past your first page, and how long they stuck around for. Since this attack worked by running a script in the target's browser, I would imagine they could record such information.
I'm doing a lot of imagining here, but I would also imagine they would want to record such information as it would help the prosecution's case. If there's a mens rea requirement to the applicable laws (and there always should be, but the last 20 years of legislation, not so much) then the prosecution would have to prove that the defendant knowingly and willfully accessed this information. "I clicked on it, it opened up, and the instant I saw what it was I closed the browser" is a legitimate defense. So having a log from the server and script showing that the defendant opened up the site, looked at the front page for 30 seconds and then went through clicking every link would be useful evidence.
Okay 3, 2, 1, let's jam.
(Score: 2) by bob_super on Wednesday August 06 2014, @06:57PM
> On the Google Analytics dashboard ...
I'm not paranoid enough to use TOR, but my NoScript has been told to always block Google Analytics and similar scripts. What are the odds that the feds would have and be willing to use that actual information, rather than pat themselves on the back for filling more jail cells?
(Score: 2, Interesting) by Anonymous Coward on Wednesday August 06 2014, @07:02PM
> If there's a mens rea requirement to the applicable law
There is no mens rea requirement for child abuse imagery, [yalelawtech.org] only the discretion of the prosecutor. Given just how eager people are to turn off their minds when it comes to images of child abuse, the prosecutor has everything to lose if he does not prosecute. Just look at all those cases where they've prosecuted teenagers for sexting under the theory that they were manufacturing images of child abuse.
(Score: 2) by RaffArundel on Wednesday August 06 2014, @06:14PM
Perhaps there was a threshold, otherwise there would be a lot of wasted court time if not. I can imagine the defense would definitely seize the click-bait approach - a "Rick-Roll" defense most likely, since I doubt there would be a lot of sympathy for goatse/tubgirl in the courtroom.
However, my concern is more around if using an anonymizing service lowered the bar. I could see the government saying "yeah, he clicked once, but WHY WAS HE HIDING HIS TRACKS IF IT WAS AN ACCIDENT?!?!" which sets a very bad precedent. I'm less concerned over hemocyanin's quote from TFA, which is much appreciated, that this was "an egregious violation of the Fourth Amendment" from the defense lawyers. They actually obtained warrants and set up a sting operation under judicial review and approval. I like that better than the "secret-court-with-no-oversite-or-fake-a-911-call-to-send-in-the-overmiliterized-police" approach in other cases.
If it were up to me, I'd shut it down or replace the page with a big fat notice: "law enforcement was here". The idea of people doing this disgusts me, which is why it is hard to talk about "rights" rationally when there is a legitimate think-of-the-children argument. Sting operation would be tempting, but you are targeting consumers not creators, so not worth it IMO.
(Score: 2) by tynin on Wednesday August 06 2014, @09:13PM
I've worked at an ISP that also has a tier 1 network. It was SOP to never take down the offending site, but to validate it did indeed of kiddie porn (the horror), burn the site to disk and stick it in the vault (which was overflowing), and notify the FBI and our legal dept. The site serving the offensive material was always left online to allow for the Feds to gather more dirt. One of my co-workers was sick of this policy, so they sent in a forged email into support appearing to be coming from the users contact email professing how they were a scumbag pedo and requested that the account be terminated immediately, which worked surprisingly well.